diff options
| author | jsing <> | 2022-01-11 19:03:15 +0000 |
|---|---|---|
| committer | jsing <> | 2022-01-11 19:03:15 +0000 |
| commit | 29dd08f9d36c1e143430c23b6c134c873648b8f4 (patch) | |
| tree | 41d4132a79c4a27fd233912019e3d7a523318b29 /src/lib/libssl/tls13_client.c | |
| parent | 1e518bcbf05a26f72d8671b296a6096f39cf402e (diff) | |
| download | openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.tar.gz openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.tar.bz2 openbsd-29dd08f9d36c1e143430c23b6c134c873648b8f4.zip | |
Remove peer_pkeys from SSL_SESSION.
peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).
ok inoguchi@ tb@
Diffstat (limited to 'src/lib/libssl/tls13_client.c')
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 20 |
1 files changed, 8 insertions, 12 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 3e168a0b54..4b52f6cf62 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.92 2022/01/11 18:39:28 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.93 2022/01/11 19:03:15 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -561,7 +561,7 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 561 | X509 *cert = NULL; | 561 | X509 *cert = NULL; |
| 562 | EVP_PKEY *pkey; | 562 | EVP_PKEY *pkey; |
| 563 | const uint8_t *p; | 563 | const uint8_t *p; |
| 564 | int cert_idx, alert_desc; | 564 | int alert_desc, cert_type; |
| 565 | int ret = 0; | 565 | int ret = 0; |
| 566 | 566 | ||
| 567 | if ((certs = sk_X509_new_null()) == NULL) | 567 | if ((certs = sk_X509_new_null()) == NULL) |
| @@ -625,24 +625,20 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 625 | goto err; | 625 | goto err; |
| 626 | if (EVP_PKEY_missing_parameters(pkey)) | 626 | if (EVP_PKEY_missing_parameters(pkey)) |
| 627 | goto err; | 627 | goto err; |
| 628 | if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) | 628 | if ((cert_type = ssl_cert_type(cert, pkey)) < 0) |
| 629 | goto err; | 629 | goto err; |
| 630 | 630 | ||
| 631 | sk_X509_pop_free(s->session->cert_chain, X509_free); | ||
| 632 | s->session->cert_chain = certs; | ||
| 633 | certs = NULL; | ||
| 634 | |||
| 635 | X509_up_ref(cert); | ||
| 636 | X509_free(s->session->peer_pkeys[cert_idx].x509); | ||
| 637 | s->session->peer_pkeys[cert_idx].x509 = cert; | ||
| 638 | s->session->peer_key = &s->session->peer_pkeys[cert_idx]; | ||
| 639 | |||
| 640 | X509_up_ref(cert); | 631 | X509_up_ref(cert); |
| 641 | X509_free(s->session->peer_cert); | 632 | X509_free(s->session->peer_cert); |
| 642 | s->session->peer_cert = cert; | 633 | s->session->peer_cert = cert; |
| 634 | s->session->peer_cert_type = cert_type; | ||
| 643 | 635 | ||
| 644 | s->session->verify_result = s->verify_result; | 636 | s->session->verify_result = s->verify_result; |
| 645 | 637 | ||
| 638 | sk_X509_pop_free(s->session->cert_chain, X509_free); | ||
| 639 | s->session->cert_chain = certs; | ||
| 640 | certs = NULL; | ||
| 641 | |||
| 646 | if (ctx->ocsp_status_recv_cb != NULL && | 642 | if (ctx->ocsp_status_recv_cb != NULL && |
| 647 | !ctx->ocsp_status_recv_cb(ctx)) | 643 | !ctx->ocsp_status_recv_cb(ctx)) |
| 648 | goto err; | 644 | goto err; |