From dc2a950bb3916f33d90f91583279ae4ff4521299 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 29 Jun 2022 21:18:04 +0000
Subject: [PATCH] Make ssl_cert_add{0,1}_chain_cert() take ssl/ctx

ok beck jsing
---
 lib/libssl/s3_lib.c   | 10 +++++-----
 lib/libssl/ssl_cert.c | 28 ++++++++++++++++++++--------
 lib/libssl/ssl_locl.h |  6 +++---
 lib/libssl/ssl_rsa.c  |  8 ++------
 4 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c
index abc72565fa0..4575a141cf8 100644
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.232 2022/06/29 21:17:22 tb Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.233 2022/06/29 21:18:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1879,13 +1879,13 @@ SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
 int
 SSL_add0_chain_cert(SSL *ssl, X509 *x509)
 {
-	return ssl_cert_add0_chain_cert(ssl->cert, x509);
+	return ssl_cert_add0_chain_cert(NULL, ssl, x509);
 }
 
 int
 SSL_add1_chain_cert(SSL *ssl, X509 *x509)
 {
-	return ssl_cert_add1_chain_cert(ssl->cert, x509);
+	return ssl_cert_add1_chain_cert(NULL, ssl, x509);
 }
 
 int
@@ -2267,13 +2267,13 @@ SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
 int
 SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
 {
-	return ssl_cert_add0_chain_cert(ctx->internal->cert, x509);
+	return ssl_cert_add0_chain_cert(ctx, NULL, x509);
 }
 
 int
 SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
 {
-	return ssl_cert_add1_chain_cert(ctx->internal->cert, x509);
+	return ssl_cert_add1_chain_cert(ctx, NULL, x509);
 }
 
 int
diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index 102ad66bbb0..b5db579489e 100644
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.100 2022/06/29 21:17:22 tb Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.101 2022/06/29 21:18:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -358,25 +358,37 @@ ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain)
 }
 
 int
-ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert)
+ssl_cert_add0_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert)
 {
-	if (c->key == NULL)
+	SSL_CERT *ssl_cert;
+	SSL_CERT_PKEY *cpk;
+	int ssl_err;
+
+	if ((ssl_cert = ssl_get0_cert(ctx, ssl)) == NULL)
 		return 0;
 
-	if (c->key->chain == NULL) {
-		if ((c->key->chain = sk_X509_new_null()) == NULL)
+	if ((cpk = ssl_cert->key) == NULL)
+		return 0;
+
+	if (!ssl_security_cert(ctx, ssl, cert, 0, &ssl_err)) {
+		SSLerrorx(ssl_err);
+		return 0;
+	}
+
+	if (cpk->chain == NULL) {
+		if ((cpk->chain = sk_X509_new_null()) == NULL)
 			return 0;
 	}
-	if (!sk_X509_push(c->key->chain, cert))
+	if (!sk_X509_push(cpk->chain, cert))
 		return 0;
 
 	return 1;
 }
 
 int
-ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert)
+ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert)
 {
-	if (!ssl_cert_add0_chain_cert(c, cert))
+	if (!ssl_cert_add0_chain_cert(ctx, ssl, cert))
 		return 0;
 
 	X509_up_ref(cert);
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index fd644e5b376..b46e37f5eb0 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.406 2022/06/29 21:17:22 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.407 2022/06/29 21:18:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1288,8 +1288,8 @@ void ssl_cert_free(SSL_CERT *c);
 SSL_CERT *ssl_get0_cert(SSL_CTX *ctx, SSL *ssl);
 int ssl_cert_set0_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain);
 int ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain);
-int ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert);
-int ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert);
+int ssl_cert_add0_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert);
+int ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert);
 
 int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op,
     int bits, int nid, void *other, void *ex_data);
diff --git a/lib/libssl/ssl_rsa.c b/lib/libssl/ssl_rsa.c
index 32634a7f0d8..9a1f916e575 100644
--- a/lib/libssl/ssl_rsa.c
+++ b/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.43 2022/06/29 21:17:22 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.44 2022/06/29 21:18:04 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -641,7 +641,6 @@ use_certificate_chain_bio(SSL_CTX *ctx, SSL *ssl, BIO *in)
 {
 	pem_password_cb *passwd_cb;
 	void *passwd_arg;
-	SSL_CERT *cert;
 	X509 *ca, *x = NULL;
 	unsigned long err;
 	int ret = 0;
@@ -655,9 +654,6 @@ use_certificate_chain_bio(SSL_CTX *ctx, SSL *ssl, BIO *in)
 		goto err;
 	}
 
-	if ((cert = ssl_get0_cert(ctx, ssl)) == NULL)
-		goto err;
-
 	if (!ssl_set_cert(ctx, ssl, x))
 		goto err;
 
@@ -667,7 +663,7 @@ use_certificate_chain_bio(SSL_CTX *ctx, SSL *ssl, BIO *in)
 	/* Process any additional CA certificates. */
 	while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_arg)) !=
 	    NULL) {
-		if (!ssl_cert_add0_chain_cert(cert, ca)) {
+		if (!ssl_cert_add0_chain_cert(ctx, ssl, ca)) {
 			X509_free(ca);
 			goto err;
 		}
-- 
2.20.1