Prepare to provide SSL_use_certificate_chain_file()

This is the same as SSL_CTX_use_certificate_chain_file() but for an
SSL object instead of an SSL_CTX object. remi found this in a recent
librelp update, so we need to provide it. The function will be exposed
in an upcoming library bump.

ok inoguchi on an earlier version, input/ok jsing

2 files changed, 40 insertions, 15 deletions

diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e7ff6cec2a..36c9ef02bd 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.182 2021/02/20 08:33:17 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.183 2021/03/19 19:51:07 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1357,6 +1357,9 @@ int	SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
 int     SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
 int     SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
 int     SSL_use_certificate_file(SSL *ssl, const char *file, int type);
+#if defined(LIBRESSL_INTERNAL)
+int     SSL_use_certificate_chain_file(SSL *ssl, const char *file);
+#endif
 int     SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
 int     SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
 int     SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 0936c0bd4c..18ae5307d3 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.31 2019/03/25 16:46:48 jsing Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.32 2021/03/19 19:51:07 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,7 +68,10 @@
 
 static int ssl_set_cert(CERT *c, X509 *x509);
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
-static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *);
+static int use_certificate_chain_bio(BIO *in, CERT *cert,
+    pem_password_cb *passwd_cb, void *passwd_arg);
+static int use_certificate_chain_file(const char *file, CERT *cert,
+    pem_password_cb *passwd_cb, void *passwd_arg);
 
 int
 SSL_use_certificate(SSL *ssl, X509 *x)
@@ -609,29 +612,29 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
  * sent to the peer in the Certificate message.
  */
 static int
-ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
+use_certificate_chain_bio(BIO *in, CERT *cert, pem_password_cb *passwd_cb,
+    void *passwd_arg)
 {
         X509 *ca, *x = NULL;
         unsigned long err;
         int ret = 0;
 
-        if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-            ctx->default_passwd_callback_userdata)) == NULL) {
+        if ((x = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_arg)) ==
+            NULL) {
                 SSLerrorx(ERR_R_PEM_LIB);
                 goto err;
         }
 
-        if (!SSL_CTX_use_certificate(ctx, x))
+        if (!ssl_set_cert(cert, x))
                 goto err;
 
-        if (!ssl_cert_set0_chain(ctx->internal->cert, NULL))
+        if (!ssl_cert_set0_chain(cert, NULL))
                 goto err;
 
         /* Process any additional CA certificates. */
-        while ((ca = PEM_read_bio_X509(in, NULL,
-            ctx->default_passwd_callback,
-            ctx->default_passwd_callback_userdata)) != NULL) {
-                if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) {
+        while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_arg)) !=
+            NULL) {
+                if (!ssl_cert_add0_chain_cert(cert, ca)) {
                         X509_free(ca);
                         goto err;
                 }
@@ -652,7 +655,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
 }
 
 int
-SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
+use_certificate_chain_file(const char *file, CERT *cert,
+    pem_password_cb *passwd_cb, void *passwd_arg)
 {
         BIO *in;
         int ret = 0;
@@ -668,7 +672,7 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
                 goto end;
         }
 
-        ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
+        ret = use_certificate_chain_bio(in, cert, passwd_cb, passwd_arg);
 
 end:
         BIO_free(in);
@@ -676,6 +680,22 @@ end:
 }
 
 int
+SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
+{
+        return use_certificate_chain_file(file, ctx->internal->cert,
+            ctx->default_passwd_callback,
+            ctx->default_passwd_callback_userdata);
+}
+
+int
+SSL_use_certificate_chain_file(SSL *ssl, const char *file)
+{
+        return use_certificate_chain_file(file, ssl->cert,
+            ssl->ctx->default_passwd_callback,
+            ssl->ctx->default_passwd_callback_userdata);
+}
+
+int
 SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
 {
         BIO *in;
@@ -687,7 +707,9 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
                 goto end;
         }
 
-        ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
+        ret = use_certificate_chain_bio(in, ctx->internal->cert,
+            ctx->default_passwd_callback,
+            ctx->default_passwd_callback_userdata);
 
 end:
         BIO_free(in);