Google Git
Sign in
boringssl/boringssl.git/364f7a6d21f73d099f4f80800973174a8f71e90f^!/./include
commit
364f7a6d21f73d099f4f80800973174a8f71e90f
[log] [tgz]
author
Adam Langley <agl@google.com>
Mon Dec 12 10:51:00 2016 -0800
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Tue Dec 13 17:18:53 2016 +0000
tree
7379dd7f90e0594ce3992d7cd5a0e3be7288e663
parent
cb0c29ff75045fb9f7c2f9d827da4492a1840ba8 [diff]
Push the difference in chain semantics to the edge.

OpenSSL includes a leaf certificate in a certificate chain when it's a
client, but doesn't when it's a server. This is also reflected in the
serialisation of sessions.

This change makes the internal semantics consistent: the leaf is always
included in the chain in memory, and never duplicated when serialised.
To maintain the same API, SSL_get_peer_cert_chain will construct a copy
of the chain without the leaf if needed.

Since the serialised format of a client session has changed, an
|is_server| boolean is added to the ASN.1 that defaults to true. Thus
any old client sessions will be parsed as server sessions and (silently)
discarded by a client.

Change-Id: Ibcf72bc8a130cedb423bc0fd3417868e0af3ca3e
Reviewed-on: https://boringssl-review.googlesource.com/12704
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index d4b17c9..041895c 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -3698,6 +3698,13 @@
    * |peer|, but when a server it does not. */
   STACK_OF(X509) *x509_chain;
 
+  /* x509_chain_without_leaf is a lazily constructed copy of |x509_chain| that
+   * omits the leaf certificate. This exists because OpenSSL, historically,
+   * didn't include the leaf certificate in the chain for a server, but did for
+   * a client. The |x509_chain| always includes it and, if an API call requires
+   * a chain without, it is stored here. */
+  STACK_OF(X509) *x509_chain_without_leaf;
+
   /* verify_result is the result of certificate verification in the case of
    * non-fatal certificate errors. */
   long verify_result;
@@ -3756,6 +3763,9 @@
 
   /* ticket_age_add_valid is non-zero if |ticket_age_add| is valid. */
   unsigned ticket_age_add_valid:1;
+
+  /* is_server is true if this session was created by a server. */
+  unsigned is_server:1;
 };
 
 /* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with