From db3f81fc27d7f2c4e5d57b3936d083fd094ebcfe Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 19 Mar 2021 19:51:07 +0000
Subject: Prepare to provide SSL_use_certificate_chain_file()

This is the same as SSL_CTX_use_certificate_chain_file() but for an
SSL object instead of an SSL_CTX object. remi found this in a recent
librelp update, so we need to provide it. The function will be exposed
in an upcoming library bump.

ok inoguchi on an earlier version, input/ok jsing
---
 src/lib/libssl/ssl.h     |  5 ++++-
 src/lib/libssl/ssl_rsa.c | 50 ++++++++++++++++++++++++++++++++++--------------
 2 files changed, 40 insertions(+), 15 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e7ff6cec2a..36c9ef02bd 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.182 2021/02/20 08:33:17 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.183 2021/03/19 19:51:07 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1357,6 +1357,9 @@ int	SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
 int	SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
 int	SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
 int	SSL_use_certificate_file(SSL *ssl, const char *file, int type);
+#if defined(LIBRESSL_INTERNAL)
+int	SSL_use_certificate_chain_file(SSL *ssl, const char *file);
+#endif
 int	SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
 int	SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
 int	SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 0936c0bd4c..18ae5307d3 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.31 2019/03/25 16:46:48 jsing Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.32 2021/03/19 19:51:07 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,7 +68,10 @@
 
 static int ssl_set_cert(CERT *c, X509 *x509);
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
-static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *);
+static int use_certificate_chain_bio(BIO *in, CERT *cert,
+    pem_password_cb *passwd_cb, void *passwd_arg);
+static int use_certificate_chain_file(const char *file, CERT *cert,
+    pem_password_cb *passwd_cb, void *passwd_arg);
 
 int
 SSL_use_certificate(SSL *ssl, X509 *x)
@@ -609,29 +612,29 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
  * sent to the peer in the Certificate message.
  */
 static int
-ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
+use_certificate_chain_bio(BIO *in, CERT *cert, pem_password_cb *passwd_cb,
+    void *passwd_arg)
 {
 	X509 *ca, *x = NULL;
 	unsigned long err;
 	int ret = 0;
 
-	if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-	    ctx->default_passwd_callback_userdata)) == NULL) {
+	if ((x = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_arg)) ==
+	    NULL) {
 		SSLerrorx(ERR_R_PEM_LIB);
 		goto err;
 	}
 
-	if (!SSL_CTX_use_certificate(ctx, x))
+	if (!ssl_set_cert(cert, x))
 		goto err;
 
-	if (!ssl_cert_set0_chain(ctx->internal->cert, NULL))
+	if (!ssl_cert_set0_chain(cert, NULL))
 		goto err;
 
 	/* Process any additional CA certificates. */
-	while ((ca = PEM_read_bio_X509(in, NULL,
-	    ctx->default_passwd_callback,
-	    ctx->default_passwd_callback_userdata)) != NULL) {
-		if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) {
+	while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_arg)) !=
+	    NULL) {
+		if (!ssl_cert_add0_chain_cert(cert, ca)) {
 			X509_free(ca);
 			goto err;
 		}
@@ -652,7 +655,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
 }
 
 int
-SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
+use_certificate_chain_file(const char *file, CERT *cert,
+    pem_password_cb *passwd_cb, void *passwd_arg)
 {
 	BIO *in;
 	int ret = 0;
@@ -668,13 +672,29 @@ SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 		goto end;
 	}
 
-	ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
+	ret = use_certificate_chain_bio(in, cert, passwd_cb, passwd_arg);
 
 end:
 	BIO_free(in);
 	return (ret);
 }
 
+int
+SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
+{
+	return use_certificate_chain_file(file, ctx->internal->cert,
+	    ctx->default_passwd_callback,
+	    ctx->default_passwd_callback_userdata);
+}
+
+int
+SSL_use_certificate_chain_file(SSL *ssl, const char *file)
+{
+	return use_certificate_chain_file(file, ssl->cert,
+	    ssl->ctx->default_passwd_callback,
+	    ssl->ctx->default_passwd_callback_userdata);
+}
+
 int
 SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
 {
@@ -687,7 +707,9 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
 		goto end;
 	}
 
-	ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
+	ret = use_certificate_chain_bio(in, ctx->internal->cert,
+	    ctx->default_passwd_callback,
+	    ctx->default_passwd_callback_userdata);
 
 end:
 	BIO_free(in);
-- 
cgit v1.2.3-55-g6feb