From d3771e0135cfe9242f69b2ca116db0a4c8eba547 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Sat, 23 Oct 2021 13:12:55 +0000
Subject: [PATCH] Use X509_STORE_CTX_get0_chain() instead of grabbing the chain
 directly out of the X509_STORE_CTX.

ok jsing
---
 lib/libssl/ssl_both.c     | 4 ++--
 lib/libssl/tls13_server.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/libssl/ssl_both.c b/lib/libssl/ssl_both.c
index 637f34582fe..fe7173e8a42 100644
--- a/lib/libssl/ssl_both.c
+++ b/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.36 2021/10/23 08:34:36 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.37 2021/10/23 13:12:55 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -368,7 +368,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk)
 		    X509_V_FLAG_LEGACY_VERIFY);
 		X509_verify_cert(xs_ctx);
 		ERR_clear_error();
-		chain = xs_ctx->chain;
+		chain = X509_STORE_CTX_get0_chain(xs_ctx);
 	}
 
 	for (i = 0; i < sk_X509_num(chain); i++) {
diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index d2c7abbf7c5..9c0369fc912 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.84 2021/07/01 17:53:39 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.85 2021/10/23 13:12:55 tb Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -649,7 +649,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
 		    X509_V_FLAG_LEGACY_VERIFY);
 		X509_verify_cert(xsc);
 		ERR_clear_error();
-		chain = xsc->chain;
+		chain = X509_STORE_CTX_get0_chain(xsc);
 	}
 
 	if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
-- 
2.20.1