diff options
| author |   jsing <jsing@openbsd.org> | 2019-03-25 16:24:57 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2019-03-25 16:24:57 +0000 |
| commit | eef9ac4d610696c065ca9225366655883c3d08b9 (patch) | |
| tree | d8d6cf900bba01e311cbe91feda8f8b199812c63 /lib/libssl/ssl_cert.c | |
| parent | Expand comment to document rationale for default key sizes. (diff) | |
| download | wireguard-openbsd-eef9ac4d610696c065ca9225366655883c3d08b9.tar.xz wireguard-openbsd-eef9ac4d610696c065ca9225366655883c3d08b9.zip | |
Add a chain member to CERT_PKEY and provide functions for manipulating it.
Note that this is not the full chain, as the leaf certificate currently
remains in the x509 member of CERT_PKEY. Unfortunately we've got to
contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf
certificate while others include it...
ok beck@ tb@
Diffstat (limited to 'lib/libssl/ssl_cert.c')
| -rw-r--r-- | lib/libssl/ssl_cert.c | 68 |
1 files changed, 66 insertions, 2 deletions
diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index 313ff3ae5ca..ab76939116e 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -275,6 +275,12 @@ ssl_cert_dup(CERT *cert) SSLerrorx(SSL_R_LIBRARY_BUG); } } + + if (cert->pkeys[i].chain != NULL) { + if ((ret->pkeys[i].chain = + X509_chain_up_ref(cert->pkeys[i].chain)) == NULL) + goto err; + } } /* @@ -291,12 +297,13 @@ ssl_cert_dup(CERT *cert) return (ret); -err: + err: DH_free(ret->dh_tmp); for (i = 0; i < SSL_PKEY_NUM; i++) { X509_free(ret->pkeys[i].x509); EVP_PKEY_free(ret->pkeys[i].privatekey); + sk_X509_pop_free(ret->pkeys[i].chain, X509_free); } free (ret); return NULL; @@ -320,11 +327,68 @@ ssl_cert_free(CERT *c) for (i = 0; i < SSL_PKEY_NUM; i++) { X509_free(c->pkeys[i].x509); EVP_PKEY_free(c->pkeys[i].privatekey); + sk_X509_pop_free(c->pkeys[i].chain, X509_free); } free(c); } +int +ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain) +{ + if (c->key == NULL) + return 0; + + sk_X509_pop_free(c->key->chain, X509_free); + c->key->chain = chain; + + return 1; +} + +int +ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain) +{ + STACK_OF(X509) *new_chain = NULL; + + if (chain != NULL) { + if ((new_chain = X509_chain_up_ref(chain)) == NULL) + return 0; + } + if (!ssl_cert_set0_chain(c, new_chain)) { + sk_X509_pop_free(new_chain, X509_free); + return 0; + } + + return 1; +} + +int +ssl_cert_add0_chain_cert(CERT *c, X509 *cert) +{ + if (c->key == NULL) + return 0; + + if (c->key->chain == NULL) { + if ((c->key->chain = sk_X509_new_null()) == NULL) + return 0; + } + if (!sk_X509_push(c->key->chain, cert)) + return 0; + + return 1; +} + +int +ssl_cert_add1_chain_cert(CERT *c, X509 *cert) +{ + if (!ssl_cert_add0_chain_cert(c, cert)) + return 0; + + X509_up_ref(cert); + + return 1; +} + SESS_CERT * ssl_sess_cert_new(void) { |