From 5dbcc7f027b590f42a20e955ec7657768107a685 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 29 Jun 2022 21:17:22 +0000
Subject: [PATCH] ssl_cert_set{0,1}_chain() take ssl/ctx

ok beck jsing
---
 lib/libssl/s3_lib.c   | 14 +++++++-------
 lib/libssl/ssl_cert.c | 31 ++++++++++++++++++++++++-------
 lib/libssl/ssl_locl.h |  6 +++---
 lib/libssl/ssl_rsa.c  |  4 ++--
 4 files changed, 36 insertions(+), 19 deletions(-)

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index 12eb9f4af45..abc72565fa0 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.231 2022/06/29 17:39:20 beck Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.232 2022/06/29 21:17:22 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1867,13 +1867,13 @@ _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
 int
 SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
 {
-	return ssl_cert_set0_chain(ssl->cert, chain);
+	return ssl_cert_set0_chain(NULL, ssl, chain);
 }
 
 int
 SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
 {
-	return ssl_cert_set1_chain(ssl->cert, chain);
+	return ssl_cert_set1_chain(NULL, ssl, chain);
 }
 
 int
@@ -1902,7 +1902,7 @@ SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
 int
 SSL_clear_chain_certs(SSL *ssl)
 {
-	return ssl_cert_set0_chain(ssl->cert, NULL);
+	return ssl_cert_set0_chain(NULL, ssl, NULL);
 }
 
 int
@@ -2255,13 +2255,13 @@ _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
 int
 SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
 {
-	return ssl_cert_set0_chain(ctx->internal->cert, chain);
+	return ssl_cert_set0_chain(ctx, NULL, chain);
 }
 
 int
 SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
 {
-	return ssl_cert_set1_chain(ctx->internal->cert, chain);
+	return ssl_cert_set1_chain(ctx, NULL, chain);
 }
 
 int
@@ -2290,7 +2290,7 @@ SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
 int
 SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
 {
-	return ssl_cert_set0_chain(ctx->internal->cert, NULL);
+	return ssl_cert_set0_chain(ctx, NULL, NULL);
 }
 
 static int
diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index 21937f85136..102ad66bbb0 100644
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.99 2022/06/29 21:12:19 tb Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.100 2022/06/29 21:17:22 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -312,19 +312,36 @@ ssl_get0_cert(SSL_CTX *ctx, SSL *ssl)
 }
 
 int
-ssl_cert_set0_chain(SSL_CERT *c, STACK_OF(X509) *chain)
+ssl_cert_set0_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain)
 {
-	if (c->key == NULL)
+	SSL_CERT *ssl_cert;
+	SSL_CERT_PKEY *cpk;
+	X509 *x509;
+	int ssl_err;
+	int i;
+
+	if ((ssl_cert = ssl_get0_cert(ctx, ssl)) == NULL)
+		return 0;
+
+	if ((cpk = ssl_cert->key) == NULL)
 		return 0;
 
-	sk_X509_pop_free(c->key->chain, X509_free);
-	c->key->chain = chain;
+	for (i = 0; i < sk_X509_num(chain); i++) {
+		x509 = sk_X509_value(chain, i);
+		if (!ssl_security_cert(ctx, ssl, x509, 0, &ssl_err)) {
+			SSLerrorx(ssl_err);
+			return 0;
+		}
+	}
+
+	sk_X509_pop_free(cpk->chain, X509_free);
+	cpk->chain = chain;
 
 	return 1;
 }
 
 int
-ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain)
+ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain)
 {
 	STACK_OF(X509) *new_chain = NULL;
 
@@ -332,7 +349,7 @@ ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain)
 		if ((new_chain = X509_chain_up_ref(chain)) == NULL)
 			return 0;
 	}
-	if (!ssl_cert_set0_chain(c, new_chain)) {
+	if (!ssl_cert_set0_chain(ctx, ssl, new_chain)) {
 		sk_X509_pop_free(new_chain, X509_free);
 		return 0;
 	}
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 83374fa69f3..fd644e5b376 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.405 2022/06/29 21:12:19 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.406 2022/06/29 21:17:22 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1286,8 +1286,8 @@ SSL_CERT *ssl_cert_new(void);
 SSL_CERT *ssl_cert_dup(SSL_CERT *cert);
 void ssl_cert_free(SSL_CERT *c);
 SSL_CERT *ssl_get0_cert(SSL_CTX *ctx, SSL *ssl);
-int ssl_cert_set0_chain(SSL_CERT *c, STACK_OF(X509) *chain);
-int ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_set0_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain);
+int ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain);
 int ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert);
 int ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert);
 
diff --git a/lib/libssl/ssl_rsa.c b/lib/libssl/ssl_rsa.c
index 11296d3baa7..32634a7f0d8 100644
--- a/lib/libssl/ssl_rsa.c
+++ b/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.42 2022/06/29 21:16:30 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.43 2022/06/29 21:17:22 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -661,7 +661,7 @@ use_certificate_chain_bio(SSL_CTX *ctx, SSL *ssl, BIO *in)
 	if (!ssl_set_cert(ctx, ssl, x))
 		goto err;
 
-	if (!ssl_cert_set0_chain(cert, NULL))
+	if (!ssl_cert_set0_chain(ctx, ssl, NULL))
 		goto err;
 
 	/* Process any additional CA certificates. */
-- 
2.20.1