Add certificate callback. If set this is called whenever a certificate

is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.

1 files changed, 11 insertions, 0 deletions

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index c2547ad47f..17bbbf5af4 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -550,6 +550,16 @@ typedef struct cert_st
 	TLS_SIGALGS *shared_sigalgs;
 	size_t shared_sigalgslen;
 
+	/* Certificate setup callback: if set is called whenever a
+	 * certificate may be required (client or server). the callback
+	 * can then examine any appropriate parameters and setup any
+	 * certificates required. This allows advanced applications
+	 * to select certificates on the fly: for example based on
+	 * supported signature algorithms or curves.
+	 */
+	int (*cert_cb)(SSL *ssl, void *arg);
+	void *cert_cb_arg;
+
 	int references; /* >1 only if SSL_copy_session_id is used */
 	} CERT;
 
@@ -888,6 +898,7 @@ int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain);
 int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
 int ssl_cert_add0_chain_cert(CERT *c, X509 *x);
 int ssl_cert_add1_chain_cert(CERT *c, X509 *x);
+void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg);
 
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);