From 29dd08f9d36c1e143430c23b6c134c873648b8f4 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Tue, 11 Jan 2022 19:03:15 +0000 Subject: Remove peer_pkeys from SSL_SESSION. peer_pkeys comes from some world where peers can send multiple certificates - in fact, one of each known type. Since we do not live in such a world, get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2 and TLSv1.3, both clients and servers can only send a single leaf (aka end-entity) certificate). ok inoguchi@ tb@ --- src/lib/libssl/tls13_client.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) (limited to 'src/lib/libssl/tls13_client.c') diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 3e168a0b54..4b52f6cf62 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.92 2022/01/11 18:39:28 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.93 2022/01/11 19:03:15 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -561,7 +561,7 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) X509 *cert = NULL; EVP_PKEY *pkey; const uint8_t *p; - int cert_idx, alert_desc; + int alert_desc, cert_type; int ret = 0; if ((certs = sk_X509_new_null()) == NULL) @@ -625,24 +625,20 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; if (EVP_PKEY_missing_parameters(pkey)) goto err; - if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) + if ((cert_type = ssl_cert_type(cert, pkey)) < 0) goto err; - sk_X509_pop_free(s->session->cert_chain, X509_free); - s->session->cert_chain = certs; - certs = NULL; - - X509_up_ref(cert); - X509_free(s->session->peer_pkeys[cert_idx].x509); - s->session->peer_pkeys[cert_idx].x509 = cert; - s->session->peer_key = &s->session->peer_pkeys[cert_idx]; - X509_up_ref(cert); X509_free(s->session->peer_cert); s->session->peer_cert = cert; + s->session->peer_cert_type = cert_type; s->session->verify_result = s->verify_result; + sk_X509_pop_free(s->session->cert_chain, X509_free); + s->session->cert_chain = certs; + certs = NULL; + if (ctx->ocsp_status_recv_cb != NULL && !ctx->ocsp_status_recv_cb(ctx)) goto err; -- cgit v1.2.3-55-g6feb