Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate (e5db9c3b) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+2 −2

Original line number	Diff line number	Diff line
		@@ -347,8 +347,8 @@
		Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]

		*) Call OCSP Stapling callback after ciphersuite has been chosen, so
		the right response is stapled. Also change SSL_get_certificate()
		so it returns the certificate actually sent.
		the right response is stapled. Also change current certificate to
		the certificate actually sent.
		See http://rt.openssl.org/Ticket/Display.html?id=2836.
		[Rob Stradling <rob.stradling@comodo.com>]

+0 −8

Original line number	Diff line number	Diff line
		@@ -2833,14 +2833,6 @@ void ssl_clear_cipher_ctx(SSL *s)
		/* Fix this function so that it takes an optional type parameter */
		X509 SSL_get_certificate(const SSL s)
		{
		if (s->server)
		{
		CERT_PKEY *certpkey;
		certpkey = ssl_get_server_send_pkey(s);
		if (certpkey && certpkey->x509)
		return certpkey->x509;
		}

		if (s->cert != NULL)
		return(s->cert->key->x509);
		else

+12 −0

Original line number	Diff line number	Diff line
		@@ -2755,6 +2755,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
		if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
		{
		int r;
		CERT_PKEY *certpkey;
		certpkey = ssl_get_server_send_pkey(s);
		/* If no certificate can't return certificate status */
		if (certpkey == NULL)
		{
		s->tlsext_status_expected = 0;
		return 1;
		}
		/* Set current certificate to one we will use so
		* SSL_get_certificate et al can pick it up.
		*/
		s->cert->key = certpkey;
		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
		switch (r)
		{