From b0c5f651476e9397892adf645bba468df03d0ea9 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 17 Aug 2022 07:39:19 +0000
Subject: Deduplicate peer certificate chain processing code.

Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.

This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.

ok tb@
---
 src/lib/libssl/s3_lib.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

(limited to 'src/lib/libssl/s3_lib.c')

diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index b6a2c26938..2726744357 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.235 2022/07/02 16:31:04 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.236 2022/08/17 07:39:19 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1559,8 +1559,10 @@ ssl3_free(SSL *s)
 	tls1_cleanup_key_block(s);
 	ssl3_release_read_buffer(s);
 	ssl3_release_write_buffer(s);
-	freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
 
+	freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
+	sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
+	sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
 	tls_key_share_free(s->s3->hs.key_share);
 
 	tls13_secrets_destroy(s->s3->hs.tls13.secrets);
@@ -1586,8 +1588,8 @@ ssl3_free(SSL *s)
 void
 ssl3_clear(SSL *s)
 {
-	unsigned char	*rp, *wp;
-	size_t		 rlen, wlen;
+	unsigned char *rp, *wp;
+	size_t rlen, wlen;
 
 	tls1_cleanup_key_block(s);
 	sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
@@ -1598,6 +1600,11 @@ ssl3_clear(SSL *s)
 	s->s3->hs.sigalgs = NULL;
 	s->s3->hs.sigalgs_len = 0;
 
+	sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
+	s->s3->hs.peer_certs = NULL;
+	sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
+	s->s3->hs.peer_certs_no_leaf = NULL;
+
 	tls_key_share_free(s->s3->hs.key_share);
 	s->s3->hs.key_share = NULL;
 
-- 
cgit v1.2.3-55-g6feb