diff options
Diffstat (limited to 'src/lib/libssl/ssl_both.c')
| -rw-r--r-- | src/lib/libssl/ssl_both.c | 60 |
1 files changed, 28 insertions, 32 deletions
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c index 77ab26e8b5..6bd5f08111 100644 --- a/src/lib/libssl/ssl_both.c +++ b/src/lib/libssl/ssl_both.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_both.c,v 1.14 2018/11/08 22:28:52 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_both.c,v 1.15 2019/03/25 16:35:48 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -378,60 +378,56 @@ ssl3_add_cert(CBB *cbb, X509 *x) | |||
| 378 | } | 378 | } |
| 379 | 379 | ||
| 380 | int | 380 | int |
| 381 | ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x) | 381 | ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk) |
| 382 | { | 382 | { |
| 383 | int no_chain = 0; | 383 | X509_STORE_CTX *xs_ctx = NULL; |
| 384 | STACK_OF(X509) *chain; | ||
| 384 | CBB cert_list; | 385 | CBB cert_list; |
| 386 | X509 *x; | ||
| 385 | int ret = 0; | 387 | int ret = 0; |
| 386 | int i; | 388 | int i; |
| 387 | 389 | ||
| 388 | if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) | 390 | if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) |
| 389 | goto err; | 391 | goto err; |
| 390 | 392 | ||
| 391 | if ((s->internal->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) | 393 | /* Send an empty certificate list when no certificate is available. */ |
| 392 | no_chain = 1; | 394 | if (cpk == NULL) |
| 395 | goto done; | ||
| 393 | 396 | ||
| 394 | /* TLSv1 sends a chain with nothing in it, instead of an alert. */ | 397 | if ((chain = cpk->chain) == NULL) |
| 395 | if (x != NULL) { | 398 | chain = s->ctx->extra_certs; |
| 396 | if (no_chain) { | ||
| 397 | if (!ssl3_add_cert(&cert_list, x)) | ||
| 398 | goto err; | ||
| 399 | } else { | ||
| 400 | X509_STORE_CTX xs_ctx; | ||
| 401 | 399 | ||
| 402 | if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, | 400 | if (chain != NULL || (s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { |
| 403 | x, NULL)) { | 401 | if (!ssl3_add_cert(&cert_list, cpk->x509)) |
| 404 | SSLerror(s, ERR_R_X509_LIB); | 402 | goto err; |
| 405 | goto err; | 403 | } else { |
| 406 | } | 404 | if ((xs_ctx = X509_STORE_CTX_new()) == NULL) |
| 407 | X509_verify_cert(&xs_ctx); | 405 | goto err; |
| 408 | 406 | if (!X509_STORE_CTX_init(xs_ctx, s->ctx->cert_store, | |
| 409 | /* Don't leave errors in the queue. */ | 407 | cpk->x509, NULL)) { |
| 410 | ERR_clear_error(); | 408 | SSLerror(s, ERR_R_X509_LIB); |
| 411 | for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { | 409 | goto err; |
| 412 | x = sk_X509_value(xs_ctx.chain, i); | ||
| 413 | if (!ssl3_add_cert(&cert_list, x)) { | ||
| 414 | X509_STORE_CTX_cleanup(&xs_ctx); | ||
| 415 | goto err; | ||
| 416 | } | ||
| 417 | } | ||
| 418 | X509_STORE_CTX_cleanup(&xs_ctx); | ||
| 419 | } | 410 | } |
| 411 | X509_verify_cert(xs_ctx); | ||
| 412 | ERR_clear_error(); | ||
| 413 | chain = xs_ctx->chain; | ||
| 420 | } | 414 | } |
| 421 | 415 | ||
| 422 | /* Thawte special :-) */ | 416 | for (i = 0; i < sk_X509_num(chain); i++) { |
| 423 | for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) { | 417 | x = sk_X509_value(chain, i); |
| 424 | x = sk_X509_value(s->ctx->extra_certs, i); | ||
| 425 | if (!ssl3_add_cert(&cert_list, x)) | 418 | if (!ssl3_add_cert(&cert_list, x)) |
| 426 | goto err; | 419 | goto err; |
| 427 | } | 420 | } |
| 428 | 421 | ||
| 422 | done: | ||
| 429 | if (!CBB_flush(cbb)) | 423 | if (!CBB_flush(cbb)) |
| 430 | goto err; | 424 | goto err; |
| 431 | 425 | ||
| 432 | ret = 1; | 426 | ret = 1; |
| 433 | 427 | ||
| 434 | err: | 428 | err: |
| 429 | X509_STORE_CTX_free(xs_ctx); | ||
| 430 | |||
| 435 | return (ret); | 431 | return (ret); |
| 436 | } | 432 | } |
| 437 | 433 | ||