From 491a1b9b73d1852fd706b6845c3635f5bd3d3834 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 25 Mar 2019 16:24:57 +0000 Subject: Add a chain member to CERT_PKEY and provide functions for manipulating it. Note that this is not the full chain, as the leaf certificate currently remains in the x509 member of CERT_PKEY. Unfortunately we've got to contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf certificate while others include it... ok beck@ tb@ --- src/lib/libssl/ssl_cert.c | 68 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 66 insertions(+), 2 deletions(-) (limited to 'src/lib/libssl/ssl_cert.c') diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 313ff3ae5c..ab76939116 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -275,6 +275,12 @@ ssl_cert_dup(CERT *cert) SSLerrorx(SSL_R_LIBRARY_BUG); } } + + if (cert->pkeys[i].chain != NULL) { + if ((ret->pkeys[i].chain = + X509_chain_up_ref(cert->pkeys[i].chain)) == NULL) + goto err; + } } /* @@ -291,12 +297,13 @@ ssl_cert_dup(CERT *cert) return (ret); -err: + err: DH_free(ret->dh_tmp); for (i = 0; i < SSL_PKEY_NUM; i++) { X509_free(ret->pkeys[i].x509); EVP_PKEY_free(ret->pkeys[i].privatekey); + sk_X509_pop_free(ret->pkeys[i].chain, X509_free); } free (ret); return NULL; @@ -320,11 +327,68 @@ ssl_cert_free(CERT *c) for (i = 0; i < SSL_PKEY_NUM; i++) { X509_free(c->pkeys[i].x509); EVP_PKEY_free(c->pkeys[i].privatekey); + sk_X509_pop_free(c->pkeys[i].chain, X509_free); } free(c); } +int +ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain) +{ + if (c->key == NULL) + return 0; + + sk_X509_pop_free(c->key->chain, X509_free); + c->key->chain = chain; + + return 1; +} + +int +ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain) +{ + STACK_OF(X509) *new_chain = NULL; + + if (chain != NULL) { + if ((new_chain = X509_chain_up_ref(chain)) == NULL) + return 0; + } + if (!ssl_cert_set0_chain(c, new_chain)) { + sk_X509_pop_free(new_chain, X509_free); + return 0; + } + + return 1; +} + +int +ssl_cert_add0_chain_cert(CERT *c, X509 *cert) +{ + if (c->key == NULL) + return 0; + + if (c->key->chain == NULL) { + if ((c->key->chain = sk_X509_new_null()) == NULL) + return 0; + } + if (!sk_X509_push(c->key->chain, cert)) + return 0; + + return 1; +} + +int +ssl_cert_add1_chain_cert(CERT *c, X509 *cert) +{ + if (!ssl_cert_add0_chain_cert(c, cert)) + return 0; + + X509_up_ref(cert); + + return 1; +} + SESS_CERT * ssl_sess_cert_new(void) { -- cgit v1.2.3-55-g6feb