From b0c5f651476e9397892adf645bba468df03d0ea9 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 17 Aug 2022 07:39:19 +0000
Subject: Deduplicate peer certificate chain processing code.

Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.

This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.

ok tb@
---
 src/lib/libssl/ssl_sess.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/lib/libssl/ssl_sess.c')

diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index fcb259f6a2..7cf36f8984 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.116 2022/06/07 17:49:22 tb Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.117 2022/08/17 07:39:19 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -230,6 +230,8 @@ SSL_SESSION_new(void)
 	ss->next = NULL;
 	ss->tlsext_hostname = NULL;
 
+	ss->peer_cert_type = -1;
+
 	ss->tlsext_ecpointformatlist_length = 0;
 	ss->tlsext_ecpointformatlist = NULL;
 	ss->tlsext_supportedgroups_length = 0;
@@ -761,8 +763,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
 	explicit_bzero(ss->master_key, sizeof ss->master_key);
 	explicit_bzero(ss->session_id, sizeof ss->session_id);
 
-	sk_X509_pop_free(ss->cert_chain, X509_free);
-
 	X509_free(ss->peer_cert);
 
 	sk_SSL_CIPHER_free(ss->ciphers);
-- 
cgit v1.2.3-55-g6feb