Move the NULL case in ssl_add_cert_chain up.
It's only called for client certificates with NULL. The interaction with extra_certs is more obvious if we handle that case externally. (We shouldn't attach extra_certs if there is no leaf.) Change-Id: I9dc26f32f582be8c48a4da9aae0ceee8741813dc Reviewed-on: https://boringssl-review.googlesource.com/4613 Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
parent
e92d24f323
commit
605641ed95
@ -103,6 +103,7 @@ SSL,function,192,ssl3_get_server_hello
|
|||||||
SSL,function,193,ssl3_get_server_key_exchange
|
SSL,function,193,ssl3_get_server_key_exchange
|
||||||
SSL,function,194,ssl3_get_v2_client_hello
|
SSL,function,194,ssl3_get_v2_client_hello
|
||||||
SSL,function,195,ssl3_handshake_mac
|
SSL,function,195,ssl3_handshake_mac
|
||||||
|
SSL,function,275,ssl3_output_cert_chain
|
||||||
SSL,function,196,ssl3_prf
|
SSL,function,196,ssl3_prf
|
||||||
SSL,function,197,ssl3_read_bytes
|
SSL,function,197,ssl3_read_bytes
|
||||||
SSL,function,198,ssl3_read_n
|
SSL,function,198,ssl3_read_n
|
||||||
|
@ -2678,6 +2678,7 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
|
|||||||
#define SSL_F_SSL_CTX_set1_tls_channel_id 272
|
#define SSL_F_SSL_CTX_set1_tls_channel_id 272
|
||||||
#define SSL_F_SSL_set1_tls_channel_id 273
|
#define SSL_F_SSL_set1_tls_channel_id 273
|
||||||
#define SSL_F_SSL_set_tlsext_host_name 274
|
#define SSL_F_SSL_set_tlsext_host_name 274
|
||||||
|
#define SSL_F_ssl3_output_cert_chain 275
|
||||||
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
|
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
|
||||||
#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101
|
#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101
|
||||||
#define SSL_R_BAD_ALERT 102
|
#define SSL_R_BAD_ALERT 102
|
||||||
|
@ -305,7 +305,13 @@ int ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) {
|
|||||||
uint8_t *p;
|
uint8_t *p;
|
||||||
unsigned long l = 3 + SSL_HM_HEADER_LENGTH(s);
|
unsigned long l = 3 + SSL_HM_HEADER_LENGTH(s);
|
||||||
|
|
||||||
if (!ssl_add_cert_chain(s, cpk, &l)) {
|
if (cpk == NULL) {
|
||||||
|
/* TLSv1 sends a chain with nothing in it, instead of an alert. */
|
||||||
|
if (!BUF_MEM_grow_clean(s->init_buf, 10)) {
|
||||||
|
OPENSSL_PUT_ERROR(SSL, ssl3_output_cert_chain, ERR_R_BUF_LIB);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
} else if (!ssl_add_cert_chain(s, cpk, &l)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -792,12 +792,13 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) {
|
|||||||
int no_chain = 0;
|
int no_chain = 0;
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
X509 *x = NULL;
|
X509 *x = cpk->x509;
|
||||||
STACK_OF(X509) * extra_certs;
|
STACK_OF(X509) *extra_certs;
|
||||||
X509_STORE *chain_store;
|
X509_STORE *chain_store;
|
||||||
|
|
||||||
if (cpk) {
|
if (x == NULL) {
|
||||||
x = cpk->x509;
|
OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, SSL_R_NO_CERTIFICATE_SET);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->cert->chain_store) {
|
if (s->cert->chain_store) {
|
||||||
@ -817,17 +818,17 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) {
|
|||||||
no_chain = 1;
|
no_chain = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* TLSv1 sends a chain with nothing in it, instead of an alert. */
|
|
||||||
if (!BUF_MEM_grow_clean(buf, 10)) {
|
|
||||||
OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_BUF_LIB);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (x != NULL) {
|
|
||||||
if (no_chain) {
|
if (no_chain) {
|
||||||
if (!ssl_add_cert_to_buf(buf, l, x)) {
|
if (!ssl_add_cert_to_buf(buf, l, x)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < sk_X509_num(extra_certs); i++) {
|
||||||
|
x = sk_X509_value(extra_certs, i);
|
||||||
|
if (!ssl_add_cert_to_buf(buf, l, x)) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
X509_STORE_CTX xs_ctx;
|
X509_STORE_CTX xs_ctx;
|
||||||
|
|
||||||
@ -848,14 +849,6 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) {
|
|||||||
}
|
}
|
||||||
X509_STORE_CTX_cleanup(&xs_ctx);
|
X509_STORE_CTX_cleanup(&xs_ctx);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < sk_X509_num(extra_certs); i++) {
|
|
||||||
x = sk_X509_value(extra_certs, i);
|
|
||||||
if (!ssl_add_cert_to_buf(buf, l, x)) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user