minor fixes

aws · Feb 13, 2025 · 9781ebe · 9781ebe
1 parent 0805e62
commit 9781ebe
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 17 deletions.
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -1262,13 +1262,13 @@ OPENSSL_EXPORT int SSL_set_signing_algorithm_prefs(SSL *ssl,
 // If the override argument is 0, then |x509|, |privatekey|, and |chain| are
 // set only if all were not previously set. If override is non-0, then the
 // certificate, private key and chain certs are always set. |privatekey| and
-// |x509| are not copied or duplicated, their reference count is increased
-// incremented. In OpenSSL, a shallow copy of |chain| is stored with a
-// reference count increment for all X509 objects in the chain. In AWS-LC,
-// we represent X509 chains as CRYPTO_BUFFER stack. Therefore, we create a
+// |x509| are not copied or duplicated, their reference count is incremented.
+// In OpenSSL, a shallow copy of |chain| is stored with a reference count
+// increment for all X509 objects in the chain. In AWS-LC,
+// we represent X509 chains as a CRYPTO_BUFFER stack. Therefore, we create a
 // an internal copy and leave the |chain| parameter untouched. This means,
-// changes after this function to |chain| will not update in |ctx|.
-
+// changes to |chain| after this function is called will not update in |ctx|.
+//
 // Returns one on success and zero on error.
 OPENSSL_EXPORT int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509,
                                             EVP_PKEY *privatekey,

diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
@@ -117,7 +117,6 @@
 #include <assert.h>
 #include <limits.h>
 #include <string.h>
-#include <vector>
 
 #include <utility>
 
@@ -961,15 +960,26 @@ BSSL_NAMESPACE_END
 
 using namespace bssl;
 
+static int cert_array_to_stack(CRYPTO_BUFFER *const *from,
+                              UniquePtr<STACK_OF(CRYPTO_BUFFER)> *to,
+                              size_t num_certs) {
+  for (size_t i = 0; i < num_certs; i++) {
+    if (!PushToStack(to->get(), UpRef(from[i]))) {
+      return 0;
+    }
+  }
+  return 1;
+}
+
 int SSL_set_chain_and_key(SSL *ssl, CRYPTO_BUFFER *const *certs,
                           size_t num_certs, EVP_PKEY *privkey,
                           const SSL_PRIVATE_KEY_METHOD *privkey_method) {
   if (!ssl->config) {
     return 0;
   }
   UniquePtr<STACK_OF(CRYPTO_BUFFER)> crypto_certs(sk_CRYPTO_BUFFER_new_null());
-  for (size_t i = 0; i < num_certs; i++) {
-    PushToStack(crypto_certs.get(), UpRef(certs[i]));
+  if (cert_array_to_stack(certs, &crypto_certs, num_certs)) {
+    return 0;
   }
   return cert_set_chain_and_key(ssl->config->cert.get(), &crypto_certs, num_certs,
                                 privkey, privkey_method, 1);
@@ -979,8 +989,8 @@ int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,
                               size_t num_certs, EVP_PKEY *privkey,
                               const SSL_PRIVATE_KEY_METHOD *privkey_method) {
   UniquePtr<STACK_OF(CRYPTO_BUFFER)> crypto_certs(sk_CRYPTO_BUFFER_new_null());
-  for (size_t i = 0; i < num_certs; i++) {
-    PushToStack(crypto_certs.get(), UpRef(certs[i]));
+  if (cert_array_to_stack(certs, &crypto_certs, num_certs)) {
+    return 0;
   }
   return cert_set_chain_and_key(ctx->cert.get(), &crypto_certs, num_certs, privkey,
                                 privkey_method, 1);
@@ -1004,16 +1014,15 @@ int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
     return 0;
   }
 
-  // Convert |x509| to type |CRYPTO_BUFFER| and add as first cert in chain
+  // Add leaf cert first to the chain
   UniquePtr<CRYPTO_BUFFER> leaf_buf(CRYPTO_BUFFER_new(buf, cert_len, nullptr));
-
   OPENSSL_free(buf);
   if (!leaf_buf ||
       !PushToStack(leaf_and_chain.get(), std::move(leaf_buf))) {
     return 0;
   }
 
-  // Convert chain certificates to CRYPTO_BUFFER objects
+  // Convert other chain certificates to CRYPTO_BUFFER objects
   if (chain != nullptr) {
     for (size_t i = 0; i < sk_X509_num(chain); i++) {
       buf = nullptr;
@@ -1032,22 +1041,21 @@ int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
     }
   }
 
-  // Call SSL_CTX_set_chain_and_key with our vector
+  // Call SSL_CTX_set_chain_and_key to set the chain and key
   if (!cert_set_chain_and_key(ctx->cert.get(), &leaf_and_chain,
                               sk_CRYPTO_BUFFER_num(leaf_and_chain.get()),
                               privatekey, nullptr, override)) {
     return 0;
   }
 
-  // Store a reference to the passed in |x509| object
+  // Store a reference to the passed in |x509| leaf object
   int idx = ssl_get_certificate_slot_index(privatekey);
   X509_up_ref(x509);
   ctx->cert->cert_private_keys[idx].x509_leaf = x509;
 
   return 1;
 }
 
-
 void SSL_certs_clear(SSL *ssl) {
   if (!ssl->config) {
     return;