diff options
| author | jsing <> | 2022-08-17 07:39:19 +0000 |
|---|---|---|
| committer | jsing <> | 2022-08-17 07:39:19 +0000 |
| commit | b0c5f651476e9397892adf645bba468df03d0ea9 (patch) | |
| tree | d4b208572f46a7c773aecb3e2d410aeaae5e817a /src/lib/libssl/tls13_client.c | |
| parent | 7e9e21e27683a4be2c58fedde7fc9303f63a83f9 (diff) | |
| download | openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.tar.gz openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.tar.bz2 openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.zip | |
Deduplicate peer certificate chain processing code.
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.
This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.
ok tb@
Diffstat (limited to 'src/lib/libssl/tls13_client.c')
| -rw-r--r-- | src/lib/libssl/tls13_client.c | 26 |
1 files changed, 4 insertions, 22 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index b1efafdfdd..87759632f9 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_client.c,v 1.97 2022/07/24 14:16:29 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_client.c,v 1.98 2022/08/17 07:39:19 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -553,9 +553,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 553 | struct stack_st_X509 *certs = NULL; | 553 | struct stack_st_X509 *certs = NULL; |
| 554 | SSL *s = ctx->ssl; | 554 | SSL *s = ctx->ssl; |
| 555 | X509 *cert = NULL; | 555 | X509 *cert = NULL; |
| 556 | EVP_PKEY *pkey; | ||
| 557 | const uint8_t *p; | 556 | const uint8_t *p; |
| 558 | int alert_desc, cert_type; | 557 | int alert_desc; |
| 559 | int ret = 0; | 558 | int ret = 0; |
| 560 | 559 | ||
| 561 | if ((certs = sk_X509_new_null()) == NULL) | 560 | if ((certs = sk_X509_new_null()) == NULL) |
| @@ -610,28 +609,11 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 610 | "failed to verify peer certificate", NULL); | 609 | "failed to verify peer certificate", NULL); |
| 611 | goto err; | 610 | goto err; |
| 612 | } | 611 | } |
| 612 | s->session->verify_result = s->verify_result; | ||
| 613 | ERR_clear_error(); | 613 | ERR_clear_error(); |
| 614 | 614 | ||
| 615 | cert = sk_X509_value(certs, 0); | 615 | if (!tls_process_peer_certs(s, certs)) |
| 616 | X509_up_ref(cert); | ||
| 617 | |||
| 618 | if ((pkey = X509_get0_pubkey(cert)) == NULL) | ||
| 619 | goto err; | ||
| 620 | if (EVP_PKEY_missing_parameters(pkey)) | ||
| 621 | goto err; | 616 | goto err; |
| 622 | if ((cert_type = ssl_cert_type(pkey)) < 0) | ||
| 623 | goto err; | ||
| 624 | |||
| 625 | X509_up_ref(cert); | ||
| 626 | X509_free(s->session->peer_cert); | ||
| 627 | s->session->peer_cert = cert; | ||
| 628 | s->session->peer_cert_type = cert_type; | ||
| 629 | |||
| 630 | s->session->verify_result = s->verify_result; | ||
| 631 | |||
| 632 | sk_X509_pop_free(s->session->cert_chain, X509_free); | ||
| 633 | s->session->cert_chain = certs; | ||
| 634 | certs = NULL; | ||
| 635 | 617 | ||
| 636 | if (ctx->ocsp_status_recv_cb != NULL && | 618 | if (ctx->ocsp_status_recv_cb != NULL && |
| 637 | !ctx->ocsp_status_recv_cb(ctx)) | 619 | !ctx->ocsp_status_recv_cb(ctx)) |