From b0c5f651476e9397892adf645bba468df03d0ea9 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Wed, 17 Aug 2022 07:39:19 +0000 Subject: Deduplicate peer certificate chain processing code. Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@ --- src/lib/libssl/ssl_clnt.c | 36 ++++-------------------------------- 1 file changed, 4 insertions(+), 32 deletions(-) (limited to 'src/lib/libssl/ssl_clnt.c') diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 1319684868..0e50285898 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.152 2022/08/15 10:45:25 tb Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.153 2022/08/17 07:39:19 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1090,8 +1090,6 @@ ssl3_get_server_certificate(SSL *s) STACK_OF(X509) *certs = NULL; X509 *cert = NULL; const uint8_t *p; - EVP_PKEY *pkey; - int cert_type; int al, ret; if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A, @@ -1156,37 +1154,11 @@ ssl3_get_server_certificate(SSL *s) SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED); goto fatal_err; } - ERR_clear_error(); /* but we keep s->verify_result */ - - /* - * Inconsistency alert: cert_chain does include the peer's - * certificate, which we don't include in s3_srvr.c - */ - cert = sk_X509_value(certs, 0); - X509_up_ref(cert); - - if ((pkey = X509_get0_pubkey(cert)) == NULL || - EVP_PKEY_missing_parameters(pkey)) { - al = SSL3_AL_FATAL; - SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); - goto fatal_err; - } - if ((cert_type = ssl_cert_type(pkey)) < 0) { - al = SSL3_AL_FATAL; - SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto fatal_err; - } - - X509_free(s->session->peer_cert); - X509_up_ref(cert); - s->session->peer_cert = cert; - s->session->peer_cert_type = cert_type; - s->session->verify_result = s->verify_result; + ERR_clear_error(); - sk_X509_pop_free(s->session->cert_chain, X509_free); - s->session->cert_chain = certs; - certs = NULL; + if (!tls_process_peer_certs(s, certs)) + goto err; ret = 1; -- cgit v1.2.3-55-g6feb