#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include "ssl_locl.h"
void (*cb)()=NULL;
long num1;
int ret= -1;
- CERT *ct;
int new_state,state,skip=0;
RAND_seed(&Time,sizeof(Time));
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
s->in_handshake++;
-#ifdef undef
- /* FIX THIS EAY EAY EAY */
- /* we don't actually need a cert, we just need a cert or a DH_tmp */
- if (((s->session == NULL) || (s->session->cert == NULL)) &&
- (s->cert == NULL))
+ if (s->cert == NULL)
{
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
- ret= -1;
- goto end;
+ return(-1);
}
-#endif
for (;;)
{
case SSL3_ST_SW_KEY_EXCH_A:
case SSL3_ST_SW_KEY_EXCH_B:
l=s->s3->tmp.new_cipher->algorithms;
- if (s->session->cert == NULL)
- {
- if (s->cert != NULL)
- {
- CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
- s->session->cert=s->cert;
- }
- else
- {
- CRYPTO_add(&s->ctx->default_cert->references,1,CRYPTO_LOCK_SSL_CERT);
- s->session->cert=s->ctx->default_cert;
- }
- }
- ct=s->session->cert;
/* clear this, it may get reset by
* send_server_key_exchange */
if (s->s3->tmp.use_rsa_tmp
|| (l & (SSL_DH|SSL_kFZA))
|| ((l & SSL_kRSA)
- && (ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
+ && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_IS_EXPORT(l)
- && EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
+ && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
)
)
)
{ /* previous session */
s->hit=1;
}
- else
+ else if (i == -1)
+ goto err;
+ else /* i == 0 */
{
if (!ssl_get_new_session(s,1))
goto err;
if (s->state == SSL3_ST_SW_KEY_EXCH_A)
{
type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
- cert=s->session->cert;
+ cert=s->cert;
buf=s->init_buf;
if (type & SSL_kRSA)
{
rsa=cert->rsa_tmp;
- if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
+ if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
{
- rsa=s->ctx->default_cert->rsa_tmp_cb(s,
+ rsa=s->cert->rsa_tmp_cb(s,
SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
if (type & SSL_kEDH)
{
dhp=cert->dh_tmp;
- if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
- dhp=cert->dh_tmp_cb(s,
+ if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
+ dhp=s->cert->dh_tmp_cb(s,
!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
if (dhp == NULL)
long n;
unsigned long l;
unsigned char *p;
+#ifndef NO_RSA
RSA *rsa=NULL;
EVP_PKEY *pkey=NULL;
+#endif
#ifndef NO_DH
BIGNUM *pub=NULL;
DH *dh_srvr;
/* FIX THIS UP EAY EAY EAY EAY */
if (s->s3->tmp.use_rsa_tmp)
{
- if ((s->session->cert != NULL) &&
- (s->session->cert->rsa_tmp != NULL))
- rsa=s->session->cert->rsa_tmp;
- else if ((s->ctx->default_cert != NULL) &&
- (s->ctx->default_cert->rsa_tmp != NULL))
- rsa=s->ctx->default_cert->rsa_tmp;
+ if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
+ rsa=s->cert->rsa_tmp;
/* Don't do a callback because rsa_tmp should
* be sent already */
if (rsa == NULL)
}
}
- /* This should not be needed */
- if (s->session->peer != NULL)
+ if (s->session->peer != NULL) /* This should not be needed */
X509_free(s->session->peer);
s->session->peer=sk_X509_shift(sk);
- s->session->cert->cert_chain=sk;
+
+ /* With the current implementation, sess_cert will always be NULL
+ * when we arrive here. */
+ if (s->session->sess_cert == NULL)
+ {
+ s->session->sess_cert = ssl_sess_cert_new();
+ if (s->session->sess_cert == NULL)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ }
+ if (s->session->sess_cert->cert_chain != NULL)
+ sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
+ s->session->sess_cert->cert_chain=sk;
+
sk=NULL;
ret=1;