From 98e04f9eeb6fcd673a9952fcfab90f38fdf8e7d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Mon, 27 Mar 2000 18:07:45 +0000 Subject: [PATCH] Comments for SSL_get_peer_cert_chain inconsistency. --- ssl/s3_clnt.c | 2 ++ ssl/s3_srvr.c | 2 ++ ssl/ssl_lib.c | 3 +++ 3 files changed, 7 insertions(+) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 279d2c0198..0c8f551f73 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -772,6 +772,8 @@ static int ssl3_get_server_certificate(SSL *s) s->session->sess_cert=sc; sc->cert_chain=sk; + /* Inconsistency alert: cert_chain does include the peer's + * certificate, which we don't include in s3_srvr.c */ x=sk_X509_value(sk,0); sk=NULL; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 90806e2d99..e23ca20bd3 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1698,6 +1698,8 @@ static int ssl3_get_client_certificate(SSL *s) if (s->session->sess_cert->cert_chain != NULL) sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); s->session->sess_cert->cert_chain=sk; + /* Inconsistency alert: cert_chain does *not* include the + * peer's own certificate, while we do include it in s3_clnt.c */ sk=NULL; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 3109708480..c515c41b4e 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -599,6 +599,9 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s) else r=s->session->sess_cert->cert_chain; + /* If we are a client, cert_chain includes the peer's own + * certificate; if we are a server, it does not. */ + return(r); } -- GitLab