Add client cert engine to SSL routines.

[openssl.git] / ssl / s3_clnt.c

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 23875f00e0e082b55548c03d151eba3e47ffb6f2..8f96120d2e963b5719b8b650dde16834fed9933b 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -160,6 +160,9 @@
 #include <openssl/dh.h>
 #endif
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
@@ -2723,8 +2726,7 @@ int ssl3_send_client_certificate(SSL *s)
                 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
                 * We then get retied later */
                i=0;
-               if (s->ctx->client_cert_cb != NULL)
-                       i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+               i = ssl_do_client_cert_cb(s, &x509, &pkey);
                if (i < 0)
                        {
                        s->rwstate=SSL_X509_LOOKUP;
@@ -2948,3 +2950,21 @@ static int ssl3_check_finished(SSL *s)
        return 1;
        }
 #endif
+
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
+       {
+       int i = 0;
+#ifndef OPENSSL_NO_ENGINE
+       if (s->ctx->client_cert_engine)
+               {
+               i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
+                                               SSL_get_client_CA_list(s),
+                                               px509, ppkey, NULL, NULL);
+               if (i != 0)
+                       return i;
+               }
+#endif
+       if (s->ctx->client_cert_cb)
+               i = s->ctx->client_cert_cb(s,px509,ppkey);
+       return i;
+       }