Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate

change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.

Note for 1.0.1 and earlier also includes backport of the function
ssl_get_server_send_pkey.

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 984895f2f1bedb55b14af4d23275be909b3e70a4..6bd31c2dea692988dfb12bfc3c616c03c057147e 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2287,7 +2287,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 #endif
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(const SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
        {
        unsigned long alg_k,alg_a;
        CERT *c;
@@ -2345,9 +2345,17 @@ X509 *ssl_get_server_send_cert(const SSL *s)
                SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
                return(NULL);
                }
-       if (c->pkeys[i].x509 == NULL) return(NULL);
 
-       return(c->pkeys[i].x509);
+       return c->pkeys + i;
+       }
+
+X509 *ssl_get_server_send_cert(const SSL *s)
+       {
+       CERT_PKEY *cpk;
+       cpk = ssl_get_server_send_pkey(s);
+       if (!cpk)
+               return NULL;
+       return cpk->x509;
        }
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 1fab632ddcc164146dc0adc015f67c3eda0267cd..0572e1029ec54491c69178fdb858365462e49856 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -830,6 +830,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
 X509 *ssl_get_server_send_cert(const SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index dc5be972d5a4d1a9601088131d9e1dd4b6350c16..28eec44566a50a6e408c7be6a0852bb4c8c88d04 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1871,6 +1871,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
        if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
                {
                int r;
+               CERT_PKEY *certpkey;
+               certpkey = ssl_get_server_send_pkey(s);
+               /* If no certificate can't return certificate status */
+               if (certpkey == NULL)
+                       {
+                       s->tlsext_status_expected = 0;
+                       return 1;
+                       }
+               /* Set current certificate to one we will use so
+                * SSL_get_certificate et al can pick it up.
+                */
+               s->cert->key = certpkey;
                r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
                switch (r)
                        {