xref: /openbsd-src/lib/libssl/tls_lib.c (revision c9675a23de50ec5aa20be3956f170f2eccffb293) 
1*c9675a23Stb /* $OpenBSD: tls_lib.c,v 1.3 2022/11/26 16:08:56 tb Exp $ */
2ad618767Sjsing /*
3ad618767Sjsing  * Copyright (c) 2019, 2021 Joel Sing <jsing@openbsd.org>
4ad618767Sjsing  *
5ad618767Sjsing  * Permission to use, copy, modify, and distribute this software for any
6ad618767Sjsing  * purpose with or without fee is hereby granted, provided that the above
7ad618767Sjsing  * copyright notice and this permission notice appear in all copies.
8ad618767Sjsing  *
9ad618767Sjsing  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10ad618767Sjsing  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11ad618767Sjsing  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12ad618767Sjsing  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13ad618767Sjsing  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14ad618767Sjsing  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15ad618767Sjsing  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16ad618767Sjsing  */
17ad618767Sjsing 
18*c9675a23Stb #include "ssl_local.h"
19ad618767Sjsing 
20ad618767Sjsing int
tls_process_peer_certs(SSL * s,STACK_OF (X509)* peer_certs)21ad618767Sjsing tls_process_peer_certs(SSL *s, STACK_OF(X509) *peer_certs)
22ad618767Sjsing {
23ad618767Sjsing 	STACK_OF(X509) *peer_certs_no_leaf;
24ad618767Sjsing 	X509 *peer_cert = NULL;
25ad618767Sjsing 	EVP_PKEY *pkey;
26ad618767Sjsing 	int cert_type;
27ad618767Sjsing 	int ret = 0;
28ad618767Sjsing 
29ad618767Sjsing 	if (sk_X509_num(peer_certs) < 1)
30ad618767Sjsing 		goto err;
31ad618767Sjsing 	peer_cert = sk_X509_value(peer_certs, 0);
32ad618767Sjsing 	X509_up_ref(peer_cert);
33ad618767Sjsing 
34ad618767Sjsing 	if ((pkey = X509_get0_pubkey(peer_cert)) == NULL) {
35ad618767Sjsing 		SSLerror(s, SSL_R_NO_PUBLICKEY);
36ad618767Sjsing 		goto err;
37ad618767Sjsing 	}
38ad618767Sjsing 	if (EVP_PKEY_missing_parameters(pkey)) {
39ad618767Sjsing 		SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
40ad618767Sjsing 		goto err;
41ad618767Sjsing 	}
42ad618767Sjsing 	if ((cert_type = ssl_cert_type(pkey)) < 0) {
43ad618767Sjsing 		SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
44ad618767Sjsing 		goto err;
45ad618767Sjsing 	}
46ad618767Sjsing 
47ad618767Sjsing 	s->session->peer_cert_type = cert_type;
48ad618767Sjsing 
49ad618767Sjsing 	X509_free(s->session->peer_cert);
50ad618767Sjsing 	s->session->peer_cert = peer_cert;
51ad618767Sjsing 	peer_cert = NULL;
52ad618767Sjsing 
53ad618767Sjsing 	sk_X509_pop_free(s->s3->hs.peer_certs, X509_free);
54ad618767Sjsing 	if ((s->s3->hs.peer_certs = X509_chain_up_ref(peer_certs)) == NULL)
55ad618767Sjsing 		goto err;
56ad618767Sjsing 
57ad618767Sjsing 	if ((peer_certs_no_leaf = X509_chain_up_ref(peer_certs)) == NULL)
58ad618767Sjsing 		goto err;
59ad618767Sjsing 	X509_free(sk_X509_shift(peer_certs_no_leaf));
60ad618767Sjsing 	sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
61ad618767Sjsing 	s->s3->hs.peer_certs_no_leaf = peer_certs_no_leaf;
62ad618767Sjsing 
63ad618767Sjsing 	ret = 1;
64ad618767Sjsing  err:
65ad618767Sjsing 	X509_free(peer_cert);
66ad618767Sjsing 
67ad618767Sjsing 	return ret;
68ad618767Sjsing }
69