1 files changed, 4 insertions, 32 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 1319684868..0e50285898 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.152 2022/08/15 10:45:25 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.153 2022/08/17 07:39:19 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1090,8 +1090,6 @@ ssl3_get_server_certificate(SSL *s)
        STACK_OF(X509) *certs = NULL;
        X509 *cert = NULL;
        const uint8_t *p;
-        EVP_PKEY *pkey;
-        int cert_type;
        int al, ret;
        if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
@@ -1156,37 +1154,11 @@ ssl3_get_server_certificate(SSL *s)
                SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);
                goto fatal_err;
        }
-        ERR_clear_error(); /* but we keep s->verify_result */
-        /*
-         * Inconsistency alert: cert_chain does include the peer's
-         * certificate, which we don't include in s3_srvr.c
-         */
-        cert = sk_X509_value(certs, 0);
-        X509_up_ref(cert);
-        if ((pkey = X509_get0_pubkey(cert)) == NULL ||
-            EVP_PKEY_missing_parameters(pkey)) {
-                al = SSL3_AL_FATAL;
-                SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
-                goto fatal_err;
-        }
-        if ((cert_type = ssl_cert_type(pkey)) < 0) {
-                al = SSL3_AL_FATAL;
-                SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-                goto fatal_err;
-        }
-        X509_free(s->session->peer_cert);
-        X509_up_ref(cert);
-        s->session->peer_cert = cert;
-        s->session->peer_cert_type = cert_type;
        s->session->verify_result = s->verify_result;
+        ERR_clear_error();
-        sk_X509_pop_free(s->session->cert_chain, X509_free);
+        if (!tls_process_peer_certs(s, certs))
-        s->session->cert_chain = certs;
+                goto err;
-        certs = NULL;
        ret = 1;

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 1319684868..0e50285898 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.152 2022/08/15 10:45:25 tb Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.153 2022/08/17 07:39:19 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1090,8 +1090,6 @@ ssl3_get_server_certificate(SSL *s)
1090	STACK_OF(X509) *certs = NULL;	1090	STACK_OF(X509) *certs = NULL;
1091	X509 *cert = NULL;	1091	X509 *cert = NULL;
1092	const uint8_t *p;	1092	const uint8_t *p;
1093	EVP_PKEY *pkey;
1094	int cert_type;
1095	int al, ret;	1093	int al, ret;
1096		1094
1097	if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,	1095	if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
@@ -1156,37 +1154,11 @@ ssl3_get_server_certificate(SSL *s)
1156	SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);	1154	SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);
1157	goto fatal_err;	1155	goto fatal_err;
1158	}	1156	}
1159	ERR_clear_error(); /* but we keep s->verify_result */
1160
1161	/*
1162	* Inconsistency alert: cert_chain does include the peer's
1163	* certificate, which we don't include in s3_srvr.c
1164	*/
1165	cert = sk_X509_value(certs, 0);
1166	X509_up_ref(cert);
1167
1168	if ((pkey = X509_get0_pubkey(cert)) == NULL \|\|
1169	EVP_PKEY_missing_parameters(pkey)) {
1170	al = SSL3_AL_FATAL;
1171	SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1172	goto fatal_err;
1173	}
1174	if ((cert_type = ssl_cert_type(pkey)) < 0) {
1175	al = SSL3_AL_FATAL;
1176	SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1177	goto fatal_err;
1178	}
1179
1180	X509_free(s->session->peer_cert);
1181	X509_up_ref(cert);
1182	s->session->peer_cert = cert;
1183	s->session->peer_cert_type = cert_type;
1184
1185	s->session->verify_result = s->verify_result;	1157	s->session->verify_result = s->verify_result;
		1158	ERR_clear_error();
1186		1159
1187	sk_X509_pop_free(s->session->cert_chain, X509_free);	1160	if (!tls_process_peer_certs(s, certs))
1188	s->session->cert_chain = certs;	1161	goto err;
1189	certs = NULL;
1190		1162
1191	ret = 1;	1163	ret = 1;
1192		1164