From b0c5f651476e9397892adf645bba468df03d0ea9 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Wed, 17 Aug 2022 07:39:19 +0000 Subject: Deduplicate peer certificate chain processing code. Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@ --- src/lib/libssl/tls13_client.c | 26 ++++---------------------- 1 file changed, 4 insertions(+), 22 deletions(-) (limited to 'src/lib/libssl/tls13_client.c') diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index b1efafdfdd..87759632f9 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.97 2022/07/24 14:16:29 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.98 2022/08/17 07:39:19 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -553,9 +553,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) struct stack_st_X509 *certs = NULL; SSL *s = ctx->ssl; X509 *cert = NULL; - EVP_PKEY *pkey; const uint8_t *p; - int alert_desc, cert_type; + int alert_desc; int ret = 0; if ((certs = sk_X509_new_null()) == NULL) @@ -610,28 +609,11 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) "failed to verify peer certificate", NULL); goto err; } + s->session->verify_result = s->verify_result; ERR_clear_error(); - cert = sk_X509_value(certs, 0); - X509_up_ref(cert); - - if ((pkey = X509_get0_pubkey(cert)) == NULL) - goto err; - if (EVP_PKEY_missing_parameters(pkey)) + if (!tls_process_peer_certs(s, certs)) goto err; - if ((cert_type = ssl_cert_type(pkey)) < 0) - goto err; - - X509_up_ref(cert); - X509_free(s->session->peer_cert); - s->session->peer_cert = cert; - s->session->peer_cert_type = cert_type; - - s->session->verify_result = s->verify_result; - - sk_X509_pop_free(s->session->cert_chain, X509_free); - s->session->cert_chain = certs; - certs = NULL; if (ctx->ocsp_status_recv_cb != NULL && !ctx->ocsp_status_recv_cb(ctx)) -- cgit v1.2.3-55-g6feb