src - OpenBSD base system

diff options


context:
space:
mode:

author	Joel Sing <jsing@cvs.openbsd.org>	2022-01-08 13:00:00 +0000
committer	Joel Sing <jsing@cvs.openbsd.org>	2022-01-08 13:00:00 +0000
commit	9247f64f7d93af0232664f292ba3e9f1f608d196 (patch)
tree	1decbcb41e447dc60e87afa3a5bca23005666353 /lib/libssl
parent	3cb0529968ed659c67c73570312ee610037bb6b8 (diff)

Merge SESS_CERT into SSL_SESSION.

There is no reason for SESS_CERT to exist - remove it and merge its members into SSL_SESSION for the time being. More clean up to follow. ok inoguchi@ tb@

Diffstat (limited to 'lib/libssl')

-rw-r--r--

lib/libssl/ssl_cert.c

-rw-r--r--

lib/libssl/ssl_clnt.c

-rw-r--r--

lib/libssl/ssl_lib.c

-rw-r--r--

lib/libssl/ssl_locl.h

-rw-r--r--

lib/libssl/ssl_sess.c

-rw-r--r--

lib/libssl/ssl_srvr.c

-rw-r--r--

lib/libssl/tls13_client.c

-rw-r--r--

lib/libssl/tls13_server.c

8 files changed, 76 insertions, 171 deletions

diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index c7355473936..e91de659ce9 100644
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_cert.c,v 1.92 2022/01/08 12:43:44 jsing Exp $ */

+/* $OpenBSD: ssl_cert.c,v 1.93 2022/01/08 12:59:58 jsing Exp $ */

@@ -347,41 +347,6 @@ ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert)

return 1;

}

-SESS_CERT *

-ssl_sess_cert_new(void)

- SESS_CERT *ret;

- ret = calloc(1, sizeof *ret);

- if (ret == NULL) {

- SSLerrorx(ERR_R_MALLOC_FAILURE);

- return NULL;

- }

- ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA]);

- ret->references = 1;

- return ret;

-void

-ssl_sess_cert_free(SESS_CERT *sc)

- int i;

- if (sc == NULL)

- return;

- i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);

- if (i > 0)

- return;

- sk_X509_pop_free(sc->cert_chain, X509_free);

- for (i = 0; i < SSL_PKEY_NUM; i++)

- X509_free(sc->peer_pkeys[i].x509);

- free(sc);

int

ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)

{

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index c3912c3ebde..70b6fff6bf0 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_clnt.c,v 1.127 2022/01/06 18:23:56 jsing Exp $ */

+/* $OpenBSD: ssl_clnt.c,v 1.128 2022/01/08 12:59:58 jsing Exp $ */

@@ -1076,7 +1076,6 @@ ssl3_get_server_certificate(SSL *s)

X509 *x = NULL;

const unsigned char *q;

STACK_OF(X509) *sk = NULL;

- SESS_CERT *sc;

EVP_PKEY *pkey = NULL;

if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,

@@ -1154,20 +1153,11 @@ ssl3_get_server_certificate(SSL *s)

}

ERR_clear_error(); /* but we keep s->verify_result */

- sc = ssl_sess_cert_new();

- if (sc == NULL)

- goto err;

- ssl_sess_cert_free(s->session->sess_cert);

- s->session->sess_cert = sc;

- sc->cert_chain = sk;

* Inconsistency alert: cert_chain does include the peer's

* certificate, which we don't include in s3_srvr.c

x = sk_X509_value(sk, 0);

- sk = NULL;

- /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/

pkey = X509_get_pubkey(x);

@@ -1185,20 +1175,21 @@ ssl3_get_server_certificate(SSL *s)

SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

goto fatal_err;

}

+ s->session->peer_cert_type = i;

+ sk_X509_pop_free(s->session->cert_chain, X509_free);

+ s->session->cert_chain = sk;

+ sk = NULL;

- sc->peer_cert_type = i;

X509_up_ref(x);

- /*

- * Why would the following ever happen?

- * We just created sc a couple of lines ago.

- */

- X509_free(sc->peer_pkeys[i].x509);

- sc->peer_pkeys[i].x509 = x;

- sc->peer_key = &(sc->peer_pkeys[i]);

+ X509_free(s->session->peer_pkeys[i].x509);

+ s->session->peer_pkeys[i].x509 = x;

+ s->session->peer_key = &s->session->peer_pkeys[i];

- X509_free(s->session->peer);

X509_up_ref(x);

+ X509_free(s->session->peer);

s->session->peer = x;

s->session->verify_result = s->verify_result;

x = NULL;

@@ -1225,11 +1216,9 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)

{

int nid = NID_dhKeyAgreement;

int invalid_params, invalid_key;

- SESS_CERT *sc;

long alg_a;

alg_a = S3I(s)->hs.cipher->algorithm_auth;

- sc = s->session->sess_cert;

tls_key_share_free(S3I(s)->hs.key_share);

if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL)

@@ -1254,7 +1243,7 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)

}

if (alg_a & SSL_aRSA)

- *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509);

+ *pkey = X509_get_pubkey(s->session->peer_pkeys[SSL_PKEY_RSA].x509);

else

/* XXX - Anonymous DH, so no certificate or pkey. */

*pkey = NULL;

@@ -1275,11 +1264,9 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)

CBS public;

uint8_t curve_type;

uint16_t curve_id;

- SESS_CERT *sc;

long alg_a;

alg_a = S3I(s)->hs.cipher->algorithm_auth;

- sc = s->session->sess_cert;

if (!CBS_get_u8(cbs, &curve_type))

goto decode_err;

@@ -1319,9 +1306,9 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs)

* and ECDSA.

if (alg_a & SSL_aRSA)

- *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509);

+ *pkey = X509_get_pubkey(s->session->peer_pkeys[SSL_PKEY_RSA].x509);

else if (alg_a & SSL_aECDSA)

- *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_ECC].x509);

+ *pkey = X509_get_pubkey(s->session->peer_pkeys[SSL_PKEY_ECC].x509);

else

/* XXX - Anonymous ECDH, so no certificate or pkey. */

*pkey = NULL;

@@ -1381,12 +1368,6 @@ ssl3_get_server_key_exchange(SSL *s)

return (1);

}

- if (s->session->sess_cert == NULL) {

- s->session->sess_cert = ssl_sess_cert_new();

- if (s->session->sess_cert == NULL)

- goto err;

- }

param = CBS_data(&cbs);

param_len = CBS_len(&cbs);

@@ -1823,7 +1804,7 @@ ssl3_get_server_done(SSL *s)

}

static int

-ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

+ssl3_send_client_kex_rsa(SSL *s, CBB *cbb)

{

unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH];

unsigned char *enc_pms = NULL;

@@ -1838,7 +1819,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

* RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1.

- pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509);

+ pkey = X509_get_pubkey(s->session->peer_pkeys[SSL_PKEY_RSA].x509);

if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {

SSLerror(s, ERR_R_INTERNAL_ERROR);

goto err;

@@ -1890,7 +1871,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

}

static int

-ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

+ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)

{

uint8_t *key = NULL;

size_t key_len = 0;

@@ -1922,7 +1903,7 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

}

static int

-ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)

+ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)

{

uint8_t *key = NULL;

size_t key_len = 0;

@@ -1961,7 +1942,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, SESS_CERT *sc, CBB *cbb)

}

static int

-ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

+ssl3_send_client_kex_gost(SSL *s, CBB *cbb)

{

unsigned char premaster_secret[32], shared_ukm[32], tmp[256];

EVP_PKEY *pub_key = NULL;

@@ -1975,7 +1956,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

CBB gostblob;

/* Get server sertificate PKEY and create ctx from it */

- peer_cert = sess_cert->peer_pkeys[SSL_PKEY_GOST01].x509;

+ peer_cert = s->session->peer_pkeys[SSL_PKEY_GOST01].x509;

if (peer_cert == NULL) {

SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);

goto err;

@@ -2074,7 +2055,6 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb)

int

ssl3_send_client_key_exchange(SSL *s)

{

- SESS_CERT *sess_cert;

unsigned long alg_k;

CBB cbb, kex;

@@ -2083,28 +2063,21 @@ ssl3_send_client_key_exchange(SSL *s)

if (S3I(s)->hs.state == SSL3_ST_CW_KEY_EXCH_A) {

alg_k = S3I(s)->hs.cipher->algorithm_mkey;

- if ((sess_cert = s->session->sess_cert) == NULL) {

- ssl3_send_alert(s, SSL3_AL_FATAL,

- SSL_AD_UNEXPECTED_MESSAGE);

- SSLerror(s, ERR_R_INTERNAL_ERROR);

- goto err;

- }

if (!ssl3_handshake_msg_start(s, &cbb, &kex,

SSL3_MT_CLIENT_KEY_EXCHANGE))

goto err;

if (alg_k & SSL_kRSA) {

- if (!ssl3_send_client_kex_rsa(s, sess_cert, &kex))

+ if (!ssl3_send_client_kex_rsa(s, &kex))

goto err;

} else if (alg_k & SSL_kDHE) {

- if (!ssl3_send_client_kex_dhe(s, sess_cert, &kex))

+ if (!ssl3_send_client_kex_dhe(s, &kex))

goto err;

} else if (alg_k & SSL_kECDHE) {

- if (!ssl3_send_client_kex_ecdhe(s, sess_cert, &kex))

+ if (!ssl3_send_client_kex_ecdhe(s, &kex))

goto err;

} else if (alg_k & SSL_kGOST) {

- if (ssl3_send_client_kex_gost(s, sess_cert, &kex) != 1)

+ if (ssl3_send_client_kex_gost(s, &kex) != 1)

goto err;

} else {

ssl3_send_alert(s, SSL3_AL_FATAL,

@@ -2481,11 +2454,10 @@ ssl3_send_client_certificate(SSL *s)

int

ssl3_check_cert_and_algorithm(SSL *s)

{

- int i, idx;

- long alg_k, alg_a;

- EVP_PKEY *pkey = NULL;

- SESS_CERT *sc;

+ long alg_k, alg_a;

+ EVP_PKEY *pkey = NULL;

int nid = NID_undef;

+ int i, idx;

alg_k = S3I(s)->hs.cipher->algorithm_mkey;

alg_a = S3I(s)->hs.cipher->algorithm_auth;

@@ -2494,21 +2466,15 @@ ssl3_check_cert_and_algorithm(SSL *s)

if (alg_a & SSL_aNULL)

return (1);

- sc = s->session->sess_cert;

- if (sc == NULL) {

- SSLerror(s, ERR_R_INTERNAL_ERROR);

- goto err;

- }

if (S3I(s)->hs.key_share != NULL)

nid = tls_key_share_nid(S3I(s)->hs.key_share);

/* This is the passed certificate. */

- idx = sc->peer_cert_type;

+ idx = s->session->peer_cert_type;

if (idx == SSL_PKEY_ECC) {

if (ssl_check_srvr_ecc_cert_and_alg(

- sc->peer_pkeys[idx].x509, s) == 0) {

+ s->session->peer_pkeys[idx].x509, s) == 0) {

/* check failed */

SSLerror(s, SSL_R_BAD_ECC_CERT);

goto fatal_err;

@@ -2516,8 +2482,8 @@ ssl3_check_cert_and_algorithm(SSL *s)

return (1);

}

- pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509);

- i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey);

+ pkey = X509_get_pubkey(s->session->peer_pkeys[idx].x509);

+ i = X509_certificate_type(s->session->peer_pkeys[idx].x509, pkey);

EVP_PKEY_free(pkey);

/* Check that we have a certificate if we require one. */

@@ -2536,9 +2502,10 @@ ssl3_check_cert_and_algorithm(SSL *s)

}

return (1);

fatal_err:

ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

- err:

return (0);

}

diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c
index 64b18062382..fb0920cdf2d 100644
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_lib.c,v 1.282 2022/01/08 12:43:44 jsing Exp $ */

+/* $OpenBSD: ssl_lib.c,v 1.283 2022/01/08 12:59:58 jsing Exp $ */

@@ -883,20 +883,14 @@ SSL_get_peer_certificate(const SSL *s)

STACK_OF(X509) *

SSL_get_peer_cert_chain(const SSL *s)

{

- STACK_OF(X509) *r;

- if ((s == NULL) || (s->session == NULL) ||

- (s->session->sess_cert == NULL))

- r = NULL;

- else

- r = s->session->sess_cert->cert_chain;

+ if (s == NULL || s->session == NULL)

+ return NULL;

* If we are a client, cert_chain includes the peer's own

- * certificate;

- * if we are a server, it does not.

+ * certificate; if we are a server, it does not.

- return (r);

+ return s->session->cert_chain;

}

STACK_OF(X509) *

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 637a789dd12..d559e7148a3 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_locl.h,v 1.378 2022/01/08 12:54:32 jsing Exp $ */

+/* $OpenBSD: ssl_locl.h,v 1.379 2022/01/08 12:59:59 jsing Exp $ */

@@ -511,8 +511,15 @@ struct ssl_session_st {

* not_resumable_session_cb to disable session caching and tickets. */

int not_resumable;

- /* The cert is the certificate used to establish this connection */

- struct sess_cert_st /* SESS_CERT */ *sess_cert;

+ STACK_OF(X509) *cert_chain; /* as received from peer */

+ /* The 'peer_...' members are used only by clients. */

+ int peer_cert_type;

+ /* Obviously we don't have the private keys of these,

+ * so maybe we shouldn't even use the SSL_CERT_PKEY type here. */

+ SSL_CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */

+ SSL_CERT_PKEY peer_pkeys[SSL_PKEY_NUM];

size_t tlsext_ecpointformatlist_length;

uint8_t *tlsext_ecpointformatlist; /* peer's list */

@@ -1216,20 +1223,6 @@ typedef struct ssl3_state_st {

struct ssl3_state_internal_st *internal;

} SSL3_STATE;

-typedef struct sess_cert_st {

- STACK_OF(X509) *cert_chain; /* as received from peer */

- /* The 'peer_...' members are used only by clients. */

- int peer_cert_type;

- SSL_CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */

- SSL_CERT_PKEY peer_pkeys[SSL_PKEY_NUM];

- /* Obviously we don't have the private keys of these,

- * so maybe we shouldn't even use the SSL_CERT_PKEY type here. */

- int references; /* actually always 1 at the moment */

-} SESS_CERT;

/*#define SSL_DEBUG */

/*#define RSA_DEBUG */

@@ -1295,8 +1288,6 @@ int ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain);

int ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert);

int ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert);

-SESS_CERT *ssl_sess_cert_new(void);

-void ssl_sess_cert_free(SESS_CERT *sc);

int ssl_get_new_session(SSL *s, int session);

int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,

int *alert);

diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c
index 2fa6af4564a..8d0f0b928cb 100644
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_sess.c,v 1.106 2021/10/25 10:01:46 jsing Exp $ */

+/* $OpenBSD: ssl_sess.c,v 1.107 2022/01/08 12:59:59 jsing Exp $ */

@@ -230,6 +230,8 @@ SSL_SESSION_new(void)

ss->next = NULL;

ss->tlsext_hostname = NULL;

+ ss->peer_key = &ss->peer_pkeys[SSL_PKEY_RSA];

ss->tlsext_ecpointformatlist_length = 0;

ss->tlsext_ecpointformatlist = NULL;

ss->tlsext_supportedgroups_length = 0;

@@ -760,7 +762,9 @@ SSL_SESSION_free(SSL_SESSION *ss)

explicit_bzero(ss->master_key, sizeof ss->master_key);

explicit_bzero(ss->session_id, sizeof ss->session_id);

- ssl_sess_cert_free(ss->sess_cert);

+ sk_X509_pop_free(ss->cert_chain, X509_free);

+ for (i = 0; i < SSL_PKEY_NUM; i++)

+ X509_free(ss->peer_pkeys[i].x509);

X509_free(ss->peer);

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 6e749438032..7f7a176950a 100644
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_srvr.c,v 1.133 2022/01/08 12:43:44 jsing Exp $ */

+/* $OpenBSD: ssl_srvr.c,v 1.134 2022/01/08 12:59:59 jsing Exp $ */

@@ -2235,29 +2235,17 @@ ssl3_get_client_certificate(SSL *s)

X509_free(s->session->peer);

s->session->peer = sk_X509_shift(sk);

- s->session->verify_result = s->verify_result;

- /*

- * With the current implementation, sess_cert will always be NULL

- * when we arrive here

- */

- if (s->session->sess_cert == NULL) {

- s->session->sess_cert = ssl_sess_cert_new();

- if (s->session->sess_cert == NULL) {

- SSLerror(s, ERR_R_MALLOC_FAILURE);

- goto err;

- }

- sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);

- s->session->sess_cert->cert_chain = sk;

* Inconsistency alert: cert_chain does *not* include the

* peer's own certificate, while we do include it in s3_clnt.c

+ sk_X509_pop_free(s->session->cert_chain, X509_free);

+ s->session->cert_chain = sk;

sk = NULL;

+ s->session->verify_result = s->verify_result;

ret = 1;

if (0) {

decode_err:

diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index 882bce8c1f6..d961f98bef4 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: tls13_client.c,v 1.90 2022/01/08 12:43:44 jsing Exp $ */

+/* $OpenBSD: tls13_client.c,v 1.91 2022/01/08 12:59:59 jsing Exp $ */

@@ -628,21 +628,19 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)

if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)

goto err;

- ssl_sess_cert_free(s->session->sess_cert);

- if ((s->session->sess_cert = ssl_sess_cert_new()) == NULL)

- goto err;

- s->session->sess_cert->cert_chain = certs;

+ sk_X509_pop_free(s->session->cert_chain, X509_free);

+ s->session->cert_chain = certs;

certs = NULL;

X509_up_ref(cert);

- s->session->sess_cert->peer_pkeys[cert_idx].x509 = cert;

- s->session->sess_cert->peer_key = &(s->session->sess_cert->peer_pkeys[cert_idx]);

- X509_free(s->session->peer);

+ X509_free(s->session->peer_pkeys[cert_idx].x509);

+ s->session->peer_pkeys[cert_idx].x509 = cert;

+ s->session->peer_key = &s->session->peer_pkeys[cert_idx];

X509_up_ref(cert);

+ X509_free(s->session->peer);

s->session->peer = cert;

s->session->verify_result = s->verify_result;

if (ctx->ocsp_status_recv_cb != NULL &&

diff --git a/lib/libssl/tls13_server.c b/lib/libssl/tls13_server.c
index 4edf3881c2c..e31ae380767 100644
--- a/lib/libssl/tls13_server.c
+++ b/lib/libssl/tls13_server.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: tls13_server.c,v 1.92 2022/01/08 12:43:45 jsing Exp $ */

+/* $OpenBSD: tls13_server.c,v 1.93 2022/01/08 12:59:59 jsing Exp $ */

@@ -921,21 +921,19 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)

if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)

goto err;

- ssl_sess_cert_free(s->session->sess_cert);

- if ((s->session->sess_cert = ssl_sess_cert_new()) == NULL)

- goto err;

- s->session->sess_cert->cert_chain = certs;

+ sk_X509_pop_free(s->session->cert_chain, X509_free);

+ s->session->cert_chain = certs;

certs = NULL;

X509_up_ref(cert);

- s->session->sess_cert->peer_pkeys[cert_idx].x509 = cert;

- s->session->sess_cert->peer_key = &(s->session->sess_cert->peer_pkeys[cert_idx]);

- X509_free(s->session->peer);

+ X509_free(s->session->peer_pkeys[cert_idx].x509);

+ s->session->peer_pkeys[cert_idx].x509 = cert;

+ s->session->peer_key = &s->session->peer_pkeys[cert_idx];

X509_up_ref(cert);

+ X509_free(s->session->peer);

s->session->peer = cert;

s->session->verify_result = s->verify_result;

ctx->handshake_stage.hs_type |= WITH_CCV;