Add a chain member to CERT_PKEY and provide functions for manipulating it.

Note that this is not the full chain, as the leaf certificate currently remains in the x509 member of CERT_PKEY. Unfortunately we've got to contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf certificate while others include it... ok beck@ tb@
author: jsing <> 2019-03-25 16:24:57 +0000
committer: jsing <> 2019-03-25 16:24:57 +0000
commit: 491a1b9b73d1852fd706b6845c3635f5bd3d3834 (patch)
tree: 13375f607f621c75e951e8c9dfb3c880fd5fb6e6 /src/lib/libssl/ssl_cert.c
parent: ed1f555802549862bf6249547c85f53ce8b3cd41 (diff)
download: openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.tar.gz
openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.tar.bz2
openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.zip
1 files changed, 66 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 313ff3ae5c..ab76939116 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -275,6 +275,12 @@ ssl_cert_dup(CERT *cert)
                                SSLerrorx(SSL_R_LIBRARY_BUG);
                        }
                }
+                if (cert->pkeys[i].chain != NULL) {
+                        if ((ret->pkeys[i].chain =
+                            X509_chain_up_ref(cert->pkeys[i].chain)) == NULL)
+                                goto err;
+                }
        }
        /*
@@ -291,12 +297,13 @@ ssl_cert_dup(CERT *cert)
        return (ret);
-err:
+ err:
        DH_free(ret->dh_tmp);
        for (i = 0; i < SSL_PKEY_NUM; i++) {
                X509_free(ret->pkeys[i].x509);
                EVP_PKEY_free(ret->pkeys[i].privatekey);
+                sk_X509_pop_free(ret->pkeys[i].chain, X509_free);
        }
        free (ret);
        return NULL;
@@ -320,11 +327,68 @@ ssl_cert_free(CERT *c)
        for (i = 0; i < SSL_PKEY_NUM; i++) {
                X509_free(c->pkeys[i].x509);
                EVP_PKEY_free(c->pkeys[i].privatekey);
+                sk_X509_pop_free(c->pkeys[i].chain, X509_free);
        }
        free(c);
 }
+int
+ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain)
+{
+        if (c->key == NULL)
+                return 0;
+        sk_X509_pop_free(c->key->chain, X509_free);
+        c->key->chain = chain;
+        return 1;
+}
+int
+ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain)
+{
+        STACK_OF(X509) *new_chain = NULL;
+        if (chain != NULL) {
+                if ((new_chain = X509_chain_up_ref(chain)) == NULL)
+                        return 0;
+        }
+        if (!ssl_cert_set0_chain(c, new_chain)) {
+                sk_X509_pop_free(new_chain, X509_free);
+                return 0;
+        }
+        return 1;
+}
+int
+ssl_cert_add0_chain_cert(CERT *c, X509 *cert)
+{
+        if (c->key == NULL)
+                return 0;
+        if (c->key->chain == NULL) {
+                if ((c->key->chain = sk_X509_new_null()) == NULL)
+                        return 0;
+        }
+        if (!sk_X509_push(c->key->chain, cert))
+                return 0;
+        return 1;
+}
+int
+ssl_cert_add1_chain_cert(CERT *c, X509 *cert)
+{
+        if (!ssl_cert_add0_chain_cert(c, cert))
+                return 0;
+        X509_up_ref(cert);
+        return 1;
+}
 SESS_CERT *
 ssl_sess_cert_new(void)
 {
author	jsing <>	2019-03-25 16:24:57 +0000
committer	jsing <>	2019-03-25 16:24:57 +0000
commit	491a1b9b73d1852fd706b6845c3635f5bd3d3834 (patch)
tree	13375f607f621c75e951e8c9dfb3c880fd5fb6e6 /src/lib/libssl/ssl_cert.c
parent	ed1f555802549862bf6249547c85f53ce8b3cd41 (diff)
download	openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.tar.gz openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.tar.bz2 openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.zip

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 313ff3ae5c..ab76939116 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */	1	/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -275,6 +275,12 @@ ssl_cert_dup(CERT *cert)
275	SSLerrorx(SSL_R_LIBRARY_BUG);	275	SSLerrorx(SSL_R_LIBRARY_BUG);
276	}	276	}
277	}	277	}
		278
		279	if (cert->pkeys[i].chain != NULL) {
		280	if ((ret->pkeys[i].chain =
		281	X509_chain_up_ref(cert->pkeys[i].chain)) == NULL)
		282	goto err;
		283	}
278	}	284	}
279		285
280	/*	286	/*
@@ -291,12 +297,13 @@ ssl_cert_dup(CERT *cert)
291		297
292	return (ret);	298	return (ret);
293		299
294	err:	300	err:
295	DH_free(ret->dh_tmp);	301	DH_free(ret->dh_tmp);
296		302
297	for (i = 0; i < SSL_PKEY_NUM; i++) {	303	for (i = 0; i < SSL_PKEY_NUM; i++) {
298	X509_free(ret->pkeys[i].x509);	304	X509_free(ret->pkeys[i].x509);
299	EVP_PKEY_free(ret->pkeys[i].privatekey);	305	EVP_PKEY_free(ret->pkeys[i].privatekey);
		306	sk_X509_pop_free(ret->pkeys[i].chain, X509_free);
300	}	307	}
301	free (ret);	308	free (ret);
302	return NULL;	309	return NULL;
@@ -320,11 +327,68 @@ ssl_cert_free(CERT *c)
320	for (i = 0; i < SSL_PKEY_NUM; i++) {	327	for (i = 0; i < SSL_PKEY_NUM; i++) {
321	X509_free(c->pkeys[i].x509);	328	X509_free(c->pkeys[i].x509);
322	EVP_PKEY_free(c->pkeys[i].privatekey);	329	EVP_PKEY_free(c->pkeys[i].privatekey);
		330	sk_X509_pop_free(c->pkeys[i].chain, X509_free);
323	}	331	}
324		332
325	free(c);	333	free(c);
326	}	334	}
327		335
		336	int
		337	ssl_cert_set0_chain(CERT c, STACK_OF(X509) chain)
		338	{
		339	if (c->key == NULL)
		340	return 0;
		341
		342	sk_X509_pop_free(c->key->chain, X509_free);
		343	c->key->chain = chain;
		344
		345	return 1;
		346	}
		347
		348	int
		349	ssl_cert_set1_chain(CERT c, STACK_OF(X509) chain)
		350	{
		351	STACK_OF(X509) *new_chain = NULL;
		352
		353	if (chain != NULL) {
		354	if ((new_chain = X509_chain_up_ref(chain)) == NULL)
		355	return 0;
		356	}
		357	if (!ssl_cert_set0_chain(c, new_chain)) {
		358	sk_X509_pop_free(new_chain, X509_free);
		359	return 0;
		360	}
		361
		362	return 1;
		363	}
		364
		365	int
		366	ssl_cert_add0_chain_cert(CERT c, X509 cert)
		367	{
		368	if (c->key == NULL)
		369	return 0;
		370
		371	if (c->key->chain == NULL) {
		372	if ((c->key->chain = sk_X509_new_null()) == NULL)
		373	return 0;
		374	}
		375	if (!sk_X509_push(c->key->chain, cert))
		376	return 0;
		377
		378	return 1;
		379	}
		380
		381	int
		382	ssl_cert_add1_chain_cert(CERT c, X509 cert)
		383	{
		384	if (!ssl_cert_add0_chain_cert(c, cert))
		385	return 0;
		386
		387	X509_up_ref(cert);
		388
		389	return 1;
		390	}
		391
328	SESS_CERT *	392	SESS_CERT *
329	ssl_sess_cert_new(void)	393	ssl_sess_cert_new(void)
330	{	394	{