Commit 353e8451 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate 

change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.

Note for 1.0.1 and earlier also includes backport of the function
ssl_get_server_send_pkey.
parent d1451f18

ssl/ssl_lib.c

+11 −3
Original line number Diff line number Diff line
@@ -2287,7 +2287,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) 
#endif



/* THIS NEEDS CLEANING UP */

X509 *ssl_get_server_send_cert(const SSL *s)

CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)

	{

	unsigned long alg_k,alg_a;

	CERT *c;
@@ -2345,9 +2345,17 @@ X509 *ssl_get_server_send_cert(const SSL *s) 
		SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);

		return(NULL);

		}

	if (c->pkeys[i].x509 == NULL) return(NULL);



	return(c->pkeys[i].x509);

	return c->pkeys + i;

	}



X509 *ssl_get_server_send_cert(const SSL *s)

	{

	CERT_PKEY *cpk;

	cpk = ssl_get_server_send_pkey(s);

	if (!cpk)

		return NULL;

	return cpk->x509;

	}



EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)

ssl/ssl_locl.h

+1 −0
Original line number Diff line number Diff line
@@ -830,6 +830,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); 
int ssl_undefined_function(SSL *s);

int ssl_undefined_void_function(void);

int ssl_undefined_const_function(const SSL *s);

CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);

X509 *ssl_get_server_send_cert(const SSL *);

EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);

int ssl_cert_type(X509 *x,EVP_PKEY *pkey);

ssl/t1_lib.c

+12 −0
Original line number Diff line number Diff line
@@ -1871,6 +1871,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s) 
	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)

		{

		int r;

		CERT_PKEY *certpkey;

		certpkey = ssl_get_server_send_pkey(s);

		/* If no certificate can't return certificate status */

		if (certpkey == NULL)

			{

			s->tlsext_status_expected = 0;

			return 1;

			}

		/* Set current certificate to one we will use so

		 * SSL_get_certificate et al can pick it up.

		 */

		s->cert->key = certpkey;

		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);

		switch (r)

			{