diff options
| author | jsing <> | 2019-03-25 16:46:48 +0000 |
|---|---|---|
| committer | jsing <> | 2019-03-25 16:46:48 +0000 |
| commit | d6a095cfa3d05c1eea376148faa4717ae6179ef0 (patch) | |
| tree | 9a455e2fb81b77b4b5f6878a083f4a220ffdb937 /src/lib | |
| parent | 42a11c8897b7bbb7bcb07484b3b02dd1fbcd3454 (diff) | |
| download | openbsd-d6a095cfa3d05c1eea376148faa4717ae6179ef0.tar.gz openbsd-d6a095cfa3d05c1eea376148faa4717ae6179ef0.tar.bz2 openbsd-d6a095cfa3d05c1eea376148faa4717ae6179ef0.zip | |
Rework ssl_ctx_use_certificate_chain_bio() to use the CERT_PKEY chain.
This means that any additional CA certificates end up on the per
certificate chain, rather than the single/shared extra_certs.
Also simplify this code and in particular, avoid setting the return value
to indicate success until we've actually succeeded.
ok beck@ tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/ssl_rsa.c | 72 |
1 files changed, 26 insertions, 46 deletions
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 4d2b1c9fb3..0936c0bd4c 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_rsa.c,v 1.30 2018/11/08 20:55:18 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_rsa.c,v 1.31 2019/03/25 16:46:48 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -611,63 +611,43 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, | |||
| 611 | static int | 611 | static int |
| 612 | ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) | 612 | ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) |
| 613 | { | 613 | { |
| 614 | X509 *ca, *x = NULL; | ||
| 615 | unsigned long err; | ||
| 614 | int ret = 0; | 616 | int ret = 0; |
| 615 | X509 *x = NULL; | ||
| 616 | |||
| 617 | ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ | ||
| 618 | 617 | ||
| 619 | x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, | 618 | if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, |
| 620 | ctx->default_passwd_callback_userdata); | 619 | ctx->default_passwd_callback_userdata)) == NULL) { |
| 621 | if (x == NULL) { | ||
| 622 | SSLerrorx(ERR_R_PEM_LIB); | 620 | SSLerrorx(ERR_R_PEM_LIB); |
| 623 | goto end; | 621 | goto err; |
| 624 | } | 622 | } |
| 625 | 623 | ||
| 626 | ret = SSL_CTX_use_certificate(ctx, x); | 624 | if (!SSL_CTX_use_certificate(ctx, x)) |
| 625 | goto err; | ||
| 627 | 626 | ||
| 628 | if (ERR_peek_error() != 0) | 627 | if (!ssl_cert_set0_chain(ctx->internal->cert, NULL)) |
| 629 | ret = 0; | 628 | goto err; |
| 630 | /* Key/certificate mismatch doesn't imply ret==0 ... */ | ||
| 631 | if (ret) { | ||
| 632 | /* | ||
| 633 | * If we could set up our certificate, now proceed to | ||
| 634 | * the CA certificates. | ||
| 635 | */ | ||
| 636 | X509 *ca; | ||
| 637 | int r; | ||
| 638 | unsigned long err; | ||
| 639 | 629 | ||
| 640 | sk_X509_pop_free(ctx->extra_certs, X509_free); | 630 | /* Process any additional CA certificates. */ |
| 641 | ctx->extra_certs = NULL; | 631 | while ((ca = PEM_read_bio_X509(in, NULL, |
| 642 | 632 | ctx->default_passwd_callback, | |
| 643 | while ((ca = PEM_read_bio_X509(in, NULL, | 633 | ctx->default_passwd_callback_userdata)) != NULL) { |
| 644 | ctx->default_passwd_callback, | 634 | if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) { |
| 645 | ctx->default_passwd_callback_userdata)) != NULL) { | 635 | X509_free(ca); |
| 646 | r = SSL_CTX_add_extra_chain_cert(ctx, ca); | 636 | goto err; |
| 647 | if (!r) { | ||
| 648 | X509_free(ca); | ||
| 649 | ret = 0; | ||
| 650 | goto end; | ||
| 651 | } | ||
| 652 | /* | ||
| 653 | * Note that we must not free r if it was successfully | ||
| 654 | * added to the chain (while we must free the main | ||
| 655 | * certificate, since its reference count is increased | ||
| 656 | * by SSL_CTX_use_certificate). | ||
| 657 | */ | ||
| 658 | } | 637 | } |
| 638 | } | ||
| 659 | 639 | ||
| 660 | /* When the while loop ends, it's usually just EOF. */ | 640 | /* When the while loop ends, it's usually just EOF. */ |
| 661 | err = ERR_peek_last_error(); | 641 | err = ERR_peek_last_error(); |
| 662 | if (ERR_GET_LIB(err) == ERR_LIB_PEM && | 642 | if (ERR_GET_LIB(err) == ERR_LIB_PEM && |
| 663 | ERR_GET_REASON(err) == PEM_R_NO_START_LINE) | 643 | ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { |
| 664 | ERR_clear_error(); | 644 | ERR_clear_error(); |
| 665 | else | 645 | ret = 1; |
| 666 | ret = 0; /* some real error */ | ||
| 667 | } | 646 | } |
| 668 | 647 | ||
| 669 | end: | 648 | err: |
| 670 | X509_free(x); | 649 | X509_free(x); |
| 650 | |||
| 671 | return (ret); | 651 | return (ret); |
| 672 | } | 652 | } |
| 673 | 653 | ||