diff options
Diffstat (limited to 'src/lib/libssl/tls13_server.c')
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index a5c03b610c..f9b557d2ac 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.61.4.1 2021/02/03 07:06:14 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -611,6 +611,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 611 | SSL *s = ctx->ssl; | 611 | SSL *s = ctx->ssl; |
| 612 | CBB cert_request_context, cert_list; | 612 | CBB cert_request_context, cert_list; |
| 613 | const struct ssl_sigalg *sigalg; | 613 | const struct ssl_sigalg *sigalg; |
| 614 | X509_STORE_CTX *xsc = NULL; | ||
| 614 | STACK_OF(X509) *chain; | 615 | STACK_OF(X509) *chain; |
| 615 | CERT_PKEY *cpk; | 616 | CERT_PKEY *cpk; |
| 616 | X509 *cert; | 617 | X509 *cert; |
| @@ -633,6 +634,18 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 633 | if ((chain = cpk->chain) == NULL) | 634 | if ((chain = cpk->chain) == NULL) |
| 634 | chain = s->ctx->extra_certs; | 635 | chain = s->ctx->extra_certs; |
| 635 | 636 | ||
| 637 | if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { | ||
| 638 | if ((xsc = X509_STORE_CTX_new()) == NULL) | ||
| 639 | goto err; | ||
| 640 | if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) | ||
| 641 | goto err; | ||
| 642 | X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), | ||
| 643 | X509_V_FLAG_LEGACY_VERIFY); | ||
| 644 | X509_verify_cert(xsc); | ||
| 645 | ERR_clear_error(); | ||
| 646 | chain = xsc->chain; | ||
| 647 | } | ||
| 648 | |||
| 636 | if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) | 649 | if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) |
| 637 | goto err; | 650 | goto err; |
| 638 | if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) | 651 | if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) |
| @@ -643,6 +656,15 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 643 | 656 | ||
| 644 | for (i = 0; i < sk_X509_num(chain); i++) { | 657 | for (i = 0; i < sk_X509_num(chain); i++) { |
| 645 | cert = sk_X509_value(chain, i); | 658 | cert = sk_X509_value(chain, i); |
| 659 | |||
| 660 | /* | ||
| 661 | * In the case of auto chain, the leaf certificate will be at | ||
| 662 | * the top of the chain - skip over it as we've already added | ||
| 663 | * it earlier. | ||
| 664 | */ | ||
| 665 | if (i == 0 && cert == cpk->x509) | ||
| 666 | continue; | ||
| 667 | |||
| 646 | /* | 668 | /* |
| 647 | * XXX we don't send extensions with chain certs to avoid sending | 669 | * XXX we don't send extensions with chain certs to avoid sending |
| 648 | * a leaf ocsp stape with the chain certs. This needs to get | 670 | * a leaf ocsp stape with the chain certs. This needs to get |
| @@ -658,6 +680,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 658 | ret = 1; | 680 | ret = 1; |
| 659 | 681 | ||
| 660 | err: | 682 | err: |
| 683 | X509_STORE_CTX_free(xsc); | ||
| 684 | |||
| 661 | return ret; | 685 | return ret; |
| 662 | } | 686 | } |
| 663 | 687 | ||