Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates - in fact, one of each known type. Since we do not live in such a world, get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2 and TLSv1.3, both clients and servers can only send a single leaf (aka end-entity) certificate). ok inoguchi@ tb@
author: jsing <> 2022-01-11 19:03:15 +0000
committer: jsing <> 2022-01-11 19:03:15 +0000
commit: 29dd08f9d36c1e143430c23b6c134c873648b8f4 (patch)
tree: 41d4132a79c4a27fd233912019e3d7a523318b29 /src/lib/libssl/ssl_srvr.c
parent: 1e518bcbf05a26f72d8671b296a6096f39cf402e (diff)
download: openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.tar.gz
openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.tar.bz2
openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.zip
1 files changed, 6 insertions, 8 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 786362ea02..30545320b3 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.139 2022/01/11 18:39:28 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.140 2022/01/11 19:03:15 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1905,7 +1905,7 @@ ssl3_get_cert_verify(SSL *s)
        CBS cbs, signature;
        const struct ssl_sigalg *sigalg = NULL;
        uint16_t sigalg_value = SIGALG_NONE;
-        EVP_PKEY *pkey = NULL;
+        EVP_PKEY *pkey;
        X509 *peer_cert = NULL;
        EVP_MD_CTX *mctx = NULL;
        int al, verify;
@@ -1928,11 +1928,9 @@ ssl3_get_cert_verify(SSL *s)
        CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
-        if (s->session->peer_cert != NULL) {
+        peer_cert = s->session->peer_cert;
-                peer_cert = s->session->peer_cert;
+        pkey = X509_get0_pubkey(peer_cert);
-                pkey = X509_get_pubkey(peer_cert);
+        type = X509_certificate_type(peer_cert, pkey);
-                type = X509_certificate_type(peer_cert, pkey);
-        }
        if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
                S3I(s)->hs.tls12.reuse_message = 1;
@@ -2131,7 +2129,7 @@ ssl3_get_cert_verify(SSL *s)
        tls1_transcript_free(s);
 err:
        EVP_MD_CTX_free(mctx);
-        EVP_PKEY_free(pkey);
        return (ret);
 }
author	jsing <>	2022-01-11 19:03:15 +0000
committer	jsing <>	2022-01-11 19:03:15 +0000
commit	29dd08f9d36c1e143430c23b6c134c873648b8f4 (patch)
tree	41d4132a79c4a27fd233912019e3d7a523318b29 /src/lib/libssl/ssl_srvr.c
parent	1e518bcbf05a26f72d8671b296a6096f39cf402e (diff)
download	openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.tar.gz openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.tar.bz2 openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.zip

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 786362ea02..30545320b3 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.139 2022/01/11 18:39:28 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.140 2022/01/11 19:03:15 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1905,7 +1905,7 @@ ssl3_get_cert_verify(SSL *s)
1905	CBS cbs, signature;	1905	CBS cbs, signature;
1906	const struct ssl_sigalg *sigalg = NULL;	1906	const struct ssl_sigalg *sigalg = NULL;
1907	uint16_t sigalg_value = SIGALG_NONE;	1907	uint16_t sigalg_value = SIGALG_NONE;
1908	EVP_PKEY *pkey = NULL;	1908	EVP_PKEY *pkey;
1909	X509 *peer_cert = NULL;	1909	X509 *peer_cert = NULL;
1910	EVP_MD_CTX *mctx = NULL;	1910	EVP_MD_CTX *mctx = NULL;
1911	int al, verify;	1911	int al, verify;
@@ -1928,11 +1928,9 @@ ssl3_get_cert_verify(SSL *s)
1928		1928
1929	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);	1929	CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1930		1930
1931	if (s->session->peer_cert != NULL) {	1931	peer_cert = s->session->peer_cert;
1932	peer_cert = s->session->peer_cert;	1932	pkey = X509_get0_pubkey(peer_cert);
1933	pkey = X509_get_pubkey(peer_cert);	1933	type = X509_certificate_type(peer_cert, pkey);
1934	type = X509_certificate_type(peer_cert, pkey);
1935	}
1936		1934
1937	if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {	1935	if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
1938	S3I(s)->hs.tls12.reuse_message = 1;	1936	S3I(s)->hs.tls12.reuse_message = 1;
@@ -2131,7 +2129,7 @@ ssl3_get_cert_verify(SSL *s)
2131	tls1_transcript_free(s);	2129	tls1_transcript_free(s);
2132	err:	2130	err:
2133	EVP_MD_CTX_free(mctx);	2131	EVP_MD_CTX_free(mctx);
2134	EVP_PKEY_free(pkey);	2132
2135	return (ret);	2133	return (ret);
2136	}	2134	}
2137		2135