1 files changed, 3 insertions, 25 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 5aee5f1a93..8f225433f0 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.100 2022/07/24 14:16:29 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.101 2022/08/17 07:39:19 jsing Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -860,9 +860,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
        struct stack_st_X509 *certs = NULL;
        SSL *s = ctx->ssl;
        X509 *cert = NULL;
-        EVP_PKEY *pkey;
        const uint8_t *p;
-        int cert_type;
        int ret = 0;
        if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
@@ -911,31 +909,11 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
                    "failed to verify peer certificate", NULL);
                goto err;
        }
+        s->session->verify_result = s->verify_result;
        ERR_clear_error();
-        /*
+        if (!tls_process_peer_certs(s, certs))
-         * Achtung! Due to API inconsistency, a client includes the peer's leaf
-         * certificate in the stored certificate chain, while a server does not.
-         */
-        cert = sk_X509_shift(certs);
-        if ((pkey = X509_get0_pubkey(cert)) == NULL)
                goto err;
-        if (EVP_PKEY_missing_parameters(pkey))
-                goto err;
-        if ((cert_type = ssl_cert_type(pkey)) < 0)
-                goto err;
-        X509_up_ref(cert);
-        X509_free(s->session->peer_cert);
-        s->session->peer_cert = cert;
-        s->session->peer_cert_type = cert_type;
-        s->session->verify_result = s->verify_result;
-        sk_X509_pop_free(s->session->cert_chain, X509_free);
-        s->session->cert_chain = certs;
-        certs = NULL;
        ctx->handshake_stage.hs_type |= WITH_CCV;
        ret = 1;

diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 5aee5f1a93..8f225433f0 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_server.c,v 1.100 2022/07/24 14:16:29 jsing Exp $ */	1	/* $OpenBSD: tls13_server.c,v 1.101 2022/08/17 07:39:19 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -860,9 +860,7 @@ tls13_client_certificate_recv(struct tls13_ctx ctx, CBS cbs)
860	struct stack_st_X509 *certs = NULL;	860	struct stack_st_X509 *certs = NULL;
861	SSL *s = ctx->ssl;	861	SSL *s = ctx->ssl;
862	X509 *cert = NULL;	862	X509 *cert = NULL;
863	EVP_PKEY *pkey;
864	const uint8_t *p;	863	const uint8_t *p;
865	int cert_type;
866	int ret = 0;	864	int ret = 0;
867		865
868	if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))	866	if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
@@ -911,31 +909,11 @@ tls13_client_certificate_recv(struct tls13_ctx ctx, CBS cbs)
911	"failed to verify peer certificate", NULL);	909	"failed to verify peer certificate", NULL);
912	goto err;	910	goto err;
913	}	911	}
		912	s->session->verify_result = s->verify_result;
914	ERR_clear_error();	913	ERR_clear_error();
915		914
916	/*	915	if (!tls_process_peer_certs(s, certs))
917	* Achtung! Due to API inconsistency, a client includes the peer's leaf
918	* certificate in the stored certificate chain, while a server does not.
919	*/
920	cert = sk_X509_shift(certs);
921
922	if ((pkey = X509_get0_pubkey(cert)) == NULL)
923	goto err;	916	goto err;
924	if (EVP_PKEY_missing_parameters(pkey))
925	goto err;
926	if ((cert_type = ssl_cert_type(pkey)) < 0)
927	goto err;
928
929	X509_up_ref(cert);
930	X509_free(s->session->peer_cert);
931	s->session->peer_cert = cert;
932	s->session->peer_cert_type = cert_type;
933
934	s->session->verify_result = s->verify_result;
935
936	sk_X509_pop_free(s->session->cert_chain, X509_free);
937	s->session->cert_chain = certs;
938	certs = NULL;
939		917
940	ctx->handshake_stage.hs_type \|= WITH_CCV;	918	ctx->handshake_stage.hs_type \|= WITH_CCV;
941	ret = 1;	919	ret = 1;