diff options
| author | jsing <> | 2022-08-17 07:39:19 +0000 |
|---|---|---|
| committer | jsing <> | 2022-08-17 07:39:19 +0000 |
| commit | b0c5f651476e9397892adf645bba468df03d0ea9 (patch) | |
| tree | d4b208572f46a7c773aecb3e2d410aeaae5e817a /src/lib/libssl/tls13_server.c | |
| parent | 7e9e21e27683a4be2c58fedde7fc9303f63a83f9 (diff) | |
| download | openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.tar.gz openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.tar.bz2 openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.zip | |
Deduplicate peer certificate chain processing code.
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.
This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.
ok tb@
Diffstat (limited to 'src/lib/libssl/tls13_server.c')
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 28 |
1 files changed, 3 insertions, 25 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 5aee5f1a93..8f225433f0 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.100 2022/07/24 14:16:29 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.101 2022/08/17 07:39:19 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -860,9 +860,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 860 | struct stack_st_X509 *certs = NULL; | 860 | struct stack_st_X509 *certs = NULL; |
| 861 | SSL *s = ctx->ssl; | 861 | SSL *s = ctx->ssl; |
| 862 | X509 *cert = NULL; | 862 | X509 *cert = NULL; |
| 863 | EVP_PKEY *pkey; | ||
| 864 | const uint8_t *p; | 863 | const uint8_t *p; |
| 865 | int cert_type; | ||
| 866 | int ret = 0; | 864 | int ret = 0; |
| 867 | 865 | ||
| 868 | if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) | 866 | if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) |
| @@ -911,31 +909,11 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) | |||
| 911 | "failed to verify peer certificate", NULL); | 909 | "failed to verify peer certificate", NULL); |
| 912 | goto err; | 910 | goto err; |
| 913 | } | 911 | } |
| 912 | s->session->verify_result = s->verify_result; | ||
| 914 | ERR_clear_error(); | 913 | ERR_clear_error(); |
| 915 | 914 | ||
| 916 | /* | 915 | if (!tls_process_peer_certs(s, certs)) |
| 917 | * Achtung! Due to API inconsistency, a client includes the peer's leaf | ||
| 918 | * certificate in the stored certificate chain, while a server does not. | ||
| 919 | */ | ||
| 920 | cert = sk_X509_shift(certs); | ||
| 921 | |||
| 922 | if ((pkey = X509_get0_pubkey(cert)) == NULL) | ||
| 923 | goto err; | 916 | goto err; |
| 924 | if (EVP_PKEY_missing_parameters(pkey)) | ||
| 925 | goto err; | ||
| 926 | if ((cert_type = ssl_cert_type(pkey)) < 0) | ||
| 927 | goto err; | ||
| 928 | |||
| 929 | X509_up_ref(cert); | ||
| 930 | X509_free(s->session->peer_cert); | ||
| 931 | s->session->peer_cert = cert; | ||
| 932 | s->session->peer_cert_type = cert_type; | ||
| 933 | |||
| 934 | s->session->verify_result = s->verify_result; | ||
| 935 | |||
| 936 | sk_X509_pop_free(s->session->cert_chain, X509_free); | ||
| 937 | s->session->cert_chain = certs; | ||
| 938 | certs = NULL; | ||
| 939 | 917 | ||
| 940 | ctx->handshake_stage.hs_type |= WITH_CCV; | 918 | ctx->handshake_stage.hs_type |= WITH_CCV; |
| 941 | ret = 1; | 919 | ret = 1; |