Add SSL_get0_verified_chain - needed by some new stuff

symbol will be exposed with tb@'s forthcoming bump ok tb@
author: beck <> 2021-10-23 20:42:50 +0000
committer: beck <> 2021-10-23 20:42:50 +0000
commit: 294ec6eff6667e3e978a71ce4219ef96214e4b98 (patch)
tree: 29525b524ab0802402e6cb477926f195db081bea /src
parent: c47d838425ca8bf46524f3d2c215287091f3e2aa (diff)
download: openbsd-294ec6eff6667e3e978a71ce4219ef96214e4b98.tar.gz
openbsd-294ec6eff6667e3e978a71ce4219ef96214e4b98.tar.bz2
openbsd-294ec6eff6667e3e978a71ce4219ef96214e4b98.zip
4 files changed, 21 insertions, 4 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index a6ab4fc2f6..258cde67e4 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.213 2021/10/23 16:29:15 beck Exp $ */
+/* $OpenBSD: ssl.h,v 1.214 2021/10/23 20:42:50 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -513,6 +513,7 @@ int SSL_set_num_tickets(SSL *s, size_t num_tickets);
 size_t SSL_get_num_tickets(const SSL *s);
 int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
 size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
+STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s);
 #endif
 #ifndef LIBRESSL_INTERNAL
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index a711b5db5c..4c39925c60 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.85 2021/10/23 16:11:30 tb Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.86 2021/10/23 20:42:50 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -447,6 +447,15 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
                ret = X509_verify_cert(ctx);
        s->verify_result = X509_STORE_CTX_get_error(ctx);
+        sk_X509_pop_free(s->internal->verified_chain, X509_free);
+        s->internal->verified_chain = NULL;
+        if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
+                s->internal->verified_chain = X509_STORE_CTX_get1_chain(ctx);
+                if (s->internal->verified_chain == NULL) {
+                        SSLerrorx(ERR_R_MALLOC_FAILURE);
+                        ret = 0;
+                }
+        }
 err:
        X509_STORE_CTX_free(ctx);
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 3c7bdfd265..cfd5c9bfb8 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.274 2021/10/23 16:29:15 beck Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.275 2021/10/23 20:42:50 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -900,6 +900,12 @@ SSL_get_peer_cert_chain(const SSL *s)
        return (r);
 }
+STACK_OF(X509) *
+SSL_get0_verified_chain(const SSL *s)
+{
+        return s->internal->verified_chain;
+}
 /*
 * Now in theory, since the calling process own 't' it should be safe to
 * modify.  We need to be able to read f without being hassled
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 579899f464..aa6233e617 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.365 2021/10/23 16:29:15 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.366 2021/10/23 20:42:50 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1031,6 +1031,7 @@ typedef struct ssl_internal_st {
        int empty_record_count;
        size_t num_tickets; /* Unused, for OpenSSL compatibility */
+        STACK_OF(X509) *verified_chain;
 } SSL_INTERNAL;
 struct ssl_st {
author	beck <>	2021-10-23 20:42:50 +0000
committer	beck <>	2021-10-23 20:42:50 +0000
commit	294ec6eff6667e3e978a71ce4219ef96214e4b98 (patch)
tree	29525b524ab0802402e6cb477926f195db081bea /src
parent	c47d838425ca8bf46524f3d2c215287091f3e2aa (diff)
download	openbsd-294ec6eff6667e3e978a71ce4219ef96214e4b98.tar.gz openbsd-294ec6eff6667e3e978a71ce4219ef96214e4b98.tar.bz2 openbsd-294ec6eff6667e3e978a71ce4219ef96214e4b98.zip