Rework ssl_ctx_use_certificate_chain_bio() to use the CERT_PKEY chain.

This means that any additional CA certificates end up on the per certificate chain, rather than the single/shared extra_certs. Also simplify this code and in particular, avoid setting the return value to indicate success until we've actually succeeded. ok beck@ tb@
author: jsing <> 2019-03-25 16:46:48 +0000
committer: jsing <> 2019-03-25 16:46:48 +0000
commit: efbbd2468336b87fa8f4dc802ec09d5638f8f0cb (patch)
tree: 9a455e2fb81b77b4b5f6878a083f4a220ffdb937 /src/lib/libssl/ssl_rsa.c
parent: 9d491a167ce1014692dd6f5e3e6ad4b655889db1 (diff)
download: openbsd-efbbd2468336b87fa8f4dc802ec09d5638f8f0cb.tar.gz
openbsd-efbbd2468336b87fa8f4dc802ec09d5638f8f0cb.tar.bz2
openbsd-efbbd2468336b87fa8f4dc802ec09d5638f8f0cb.zip
1 files changed, 26 insertions, 46 deletions
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 4d2b1c9fb3..0936c0bd4c 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.30 2018/11/08 20:55:18 jsing Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.31 2019/03/25 16:46:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -611,63 +611,43 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
 static int
 ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
 {
+        X509 *ca, *x = NULL;
+        unsigned long err;
        int ret = 0;
-        X509 *x = NULL;
-        ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
-        x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
+        if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-            ctx->default_passwd_callback_userdata);
+            ctx->default_passwd_callback_userdata)) == NULL) {
-        if (x == NULL) {
                SSLerrorx(ERR_R_PEM_LIB);
-                goto end;
+                goto err;
        }
-        ret = SSL_CTX_use_certificate(ctx, x);
+        if (!SSL_CTX_use_certificate(ctx, x))
+                goto err;
-        if (ERR_peek_error() != 0)
+        if (!ssl_cert_set0_chain(ctx->internal->cert, NULL))
-                ret = 0;
+                goto err;
-        /* Key/certificate mismatch doesn't imply ret==0 ... */
-        if (ret) {
-                /*
-                 * If we could set up our certificate, now proceed to
-                 * the CA certificates.
-                 */
-                X509 *ca;
-                int r;
-                unsigned long err;
-                sk_X509_pop_free(ctx->extra_certs, X509_free);
+        /* Process any additional CA certificates. */
-                ctx->extra_certs = NULL;
+        while ((ca = PEM_read_bio_X509(in, NULL,
+            ctx->default_passwd_callback,
-                while ((ca = PEM_read_bio_X509(in, NULL,
+            ctx->default_passwd_callback_userdata)) != NULL) {
-                    ctx->default_passwd_callback,
+                if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) {
-                    ctx->default_passwd_callback_userdata)) != NULL) {
+                        X509_free(ca);
-                        r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+                        goto err;
-                        if (!r) {
-                                X509_free(ca);
-                                ret = 0;
-                                goto end;
-                        }
-                        /*
-                         * Note that we must not free r if it was successfully
-                         * added to the chain (while we must free the main
-                         * certificate, since its reference count is increased
-                         * by SSL_CTX_use_certificate).
-                         */
                }
+        }
-                /* When the while loop ends, it's usually just EOF. */
+        /* When the while loop ends, it's usually just EOF. */
-                err = ERR_peek_last_error();
+        err = ERR_peek_last_error();
-                if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
+        if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
-                    ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
+            ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
-                        ERR_clear_error();
+                ERR_clear_error();
-                else
+                ret = 1;
-                        ret = 0; /* some real error */
        }
-end:
+ err:
        X509_free(x);
        return (ret);
 }
author	jsing <>	2019-03-25 16:46:48 +0000
committer	jsing <>	2019-03-25 16:46:48 +0000
commit	efbbd2468336b87fa8f4dc802ec09d5638f8f0cb (patch)
tree	9a455e2fb81b77b4b5f6878a083f4a220ffdb937 /src/lib/libssl/ssl_rsa.c
parent	9d491a167ce1014692dd6f5e3e6ad4b655889db1 (diff)
download	openbsd-efbbd2468336b87fa8f4dc802ec09d5638f8f0cb.tar.gz openbsd-efbbd2468336b87fa8f4dc802ec09d5638f8f0cb.tar.bz2 openbsd-efbbd2468336b87fa8f4dc802ec09d5638f8f0cb.zip

diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 4d2b1c9fb3..0936c0bd4c 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_rsa.c,v 1.30 2018/11/08 20:55:18 jsing Exp $ */	1	/* $OpenBSD: ssl_rsa.c,v 1.31 2019/03/25 16:46:48 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -611,63 +611,43 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX ctx, const unsigned char d,
611	static int	611	static int
612	ssl_ctx_use_certificate_chain_bio(SSL_CTX ctx, BIO in)	612	ssl_ctx_use_certificate_chain_bio(SSL_CTX ctx, BIO in)
613	{	613	{
		614	X509 ca, x = NULL;
		615	unsigned long err;
614	int ret = 0;	616	int ret = 0;
615	X509 *x = NULL;
616
617	ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
618		617
619	x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,	618	if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
620	ctx->default_passwd_callback_userdata);	619	ctx->default_passwd_callback_userdata)) == NULL) {
621	if (x == NULL) {
622	SSLerrorx(ERR_R_PEM_LIB);	620	SSLerrorx(ERR_R_PEM_LIB);
623	goto end;	621	goto err;
624	}	622	}
625		623
626	ret = SSL_CTX_use_certificate(ctx, x);	624	if (!SSL_CTX_use_certificate(ctx, x))
		625	goto err;
627		626
628	if (ERR_peek_error() != 0)	627	if (!ssl_cert_set0_chain(ctx->internal->cert, NULL))
629	ret = 0;	628	goto err;
630	/* Key/certificate mismatch doesn't imply ret==0 ... */
631	if (ret) {
632	/*
633	* If we could set up our certificate, now proceed to
634	* the CA certificates.
635	*/
636	X509 *ca;
637	int r;
638	unsigned long err;
639		629
640	sk_X509_pop_free(ctx->extra_certs, X509_free);	630	/* Process any additional CA certificates. */
641	ctx->extra_certs = NULL;	631	while ((ca = PEM_read_bio_X509(in, NULL,
642		632	ctx->default_passwd_callback,
643	while ((ca = PEM_read_bio_X509(in, NULL,	633	ctx->default_passwd_callback_userdata)) != NULL) {
644	ctx->default_passwd_callback,	634	if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) {
645	ctx->default_passwd_callback_userdata)) != NULL) {	635	X509_free(ca);
646	r = SSL_CTX_add_extra_chain_cert(ctx, ca);	636	goto err;
647	if (!r) {
648	X509_free(ca);
649	ret = 0;
650	goto end;
651	}
652	/*
653	* Note that we must not free r if it was successfully
654	* added to the chain (while we must free the main
655	* certificate, since its reference count is increased
656	* by SSL_CTX_use_certificate).
657	*/
658	}	637	}
		638	}
659		639
660	/* When the while loop ends, it's usually just EOF. */	640	/* When the while loop ends, it's usually just EOF. */
661	err = ERR_peek_last_error();	641	err = ERR_peek_last_error();
662	if (ERR_GET_LIB(err) == ERR_LIB_PEM &&	642	if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
663	ERR_GET_REASON(err) == PEM_R_NO_START_LINE)	643	ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
664	ERR_clear_error();	644	ERR_clear_error();
665	else	645	ret = 1;
666	ret = 0; /* some real error */
667	}	646	}
668		647
669	end:	648	err:
670	X509_free(x);	649	X509_free(x);
		650
671	return (ret);	651	return (ret);
672	}	652	}
673		653