diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-09-21 14:01:59 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-09-21 14:01:59 +0000 |
| commit | 353e845120045f87ca0bc850d345caa0f853d70d (patch) | |
| tree | 2cad6aed1cf3080479e14e1df1cc428f19a00d31 | |
| parent | d1451f18d9f447ccd26f2c80aad9750756727915 (diff) | |
Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.
Note for 1.0.1 and earlier also includes backport of the function
ssl_get_server_send_pkey.
| -rw-r--r-- | ssl/ssl_lib.c | 14 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 1 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 12 |
3 files changed, 24 insertions, 3 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 984895f2f1..6bd31c2dea 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2287,7 +2287,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif /* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(const SSL *s) +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) { unsigned long alg_k,alg_a; CERT *c; @@ -2345,9 +2345,17 @@ X509 *ssl_get_server_send_cert(const SSL *s) SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); return(NULL); } - if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); + return c->pkeys + i; + } + +X509 *ssl_get_server_send_cert(const SSL *s) + { + CERT_PKEY *cpk; + cpk = ssl_get_server_send_pkey(s); + if (!cpk) + return NULL; + return cpk->x509; } EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 1fab632ddc..0572e1029e 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -830,6 +830,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); X509 *ssl_get_server_send_cert(const SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index dc5be972d5..28eec44566 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1871,6 +1871,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s) if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { int r; + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + /* If no certificate can't return certificate status */ + if (certpkey == NULL) + { + s->tlsext_status_expected = 0; + return 1; + } + /* Set current certificate to one we will use so + * SSL_get_certificate et al can pick it up. + */ + s->cert->key = certpkey; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); switch (r) { |