Add a chain member to CERT_PKEY and provide functions for manipulating it.

Note that this is not the full chain, as the leaf certificate currently
remains in the x509 member of CERT_PKEY. Unfortunately we've got to
contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf
certificate while others include it...

ok beck@ tb@

2 files changed, 74 insertions, 3 deletions

diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c
index 313ff3ae5ca..ab76939116e 100644
--- a/lib/libssl/ssl_cert.c
+++ b/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -275,6 +275,12 @@ ssl_cert_dup(CERT *cert)
 				SSLerrorx(SSL_R_LIBRARY_BUG);
 			}
 		}
+
+		if (cert->pkeys[i].chain != NULL) {
+			if ((ret->pkeys[i].chain =
+			    X509_chain_up_ref(cert->pkeys[i].chain)) == NULL)
+				goto err;
+		}
 	}
 
 	/*
@@ -291,12 +297,13 @@ ssl_cert_dup(CERT *cert)
 
 	return (ret);
 
-err:
+ err:
 	DH_free(ret->dh_tmp);
 
 	for (i = 0; i < SSL_PKEY_NUM; i++) {
 		X509_free(ret->pkeys[i].x509);
 		EVP_PKEY_free(ret->pkeys[i].privatekey);
+		sk_X509_pop_free(ret->pkeys[i].chain, X509_free);
 	}
 	free (ret);
 	return NULL;
@@ -320,11 +327,68 @@ ssl_cert_free(CERT *c)
 	for (i = 0; i < SSL_PKEY_NUM; i++) {
 		X509_free(c->pkeys[i].x509);
 		EVP_PKEY_free(c->pkeys[i].privatekey);
+		sk_X509_pop_free(c->pkeys[i].chain, X509_free);
 	}
 
 	free(c);
 }
 
+int
+ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain)
+{
+	if (c->key == NULL)
+		return 0;
+
+	sk_X509_pop_free(c->key->chain, X509_free);
+	c->key->chain = chain;
+
+	return 1;
+}
+
+int
+ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain)
+{
+	STACK_OF(X509) *new_chain = NULL;
+
+	if (chain != NULL) {
+		if ((new_chain = X509_chain_up_ref(chain)) == NULL)
+			return 0;
+	}
+	if (!ssl_cert_set0_chain(c, new_chain)) {
+		sk_X509_pop_free(new_chain, X509_free);
+		return 0;
+	}
+
+	return 1;
+}
+
+int
+ssl_cert_add0_chain_cert(CERT *c, X509 *cert)
+{
+	if (c->key == NULL)
+		return 0;
+
+	if (c->key->chain == NULL) {
+		if ((c->key->chain = sk_X509_new_null()) == NULL)
+			return 0;
+	}
+	if (!sk_X509_push(c->key->chain, cert))
+		return 0;
+
+	return 1;
+}
+
+int
+ssl_cert_add1_chain_cert(CERT *c, X509 *cert)
+{
+	if (!ssl_cert_add0_chain_cert(c, cert))
+		return 0;
+
+	X509_up_ref(cert);
+
+	return 1;
+}
+
 SESS_CERT *
 ssl_sess_cert_new(void)
 {
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 82674121b4d..509183a7faa 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.238 2019/02/25 19:40:05 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.239 2019/03/25 16:24:57 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -961,6 +961,7 @@ typedef struct dtls1_state_internal_st {
 typedef struct cert_pkey_st {
 	X509 *x509;
 	EVP_PKEY *privatekey;
+	STACK_OF(X509) *chain;
 	/* sigalg to use when signing */
 	const struct ssl_sigalg *sigalg;
 } CERT_PKEY;
@@ -1081,9 +1082,15 @@ void ssl_clear_cipher_state(SSL *s);
 void ssl_clear_cipher_read_state(SSL *s);
 void ssl_clear_cipher_write_state(SSL *s);
 int ssl_clear_bad_session(SSL *s);
+
 CERT *ssl_cert_new(void);
 CERT *ssl_cert_dup(CERT *cert);
 void ssl_cert_free(CERT *c);
+int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_add0_chain_cert(CERT *c, X509 *cert);
+int ssl_cert_add1_chain_cert(CERT *c, X509 *cert);
+
 SESS_CERT *ssl_sess_cert_new(void);
 void ssl_sess_cert_free(SESS_CERT *sc);
 int ssl_get_new_session(SSL *s, int session);