Add certificate callback. If set this is called whenever a certificate

[openssl.git] / ssl / s3_srvr.c

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index d8b61f2c657cd450f46c137f6d9823a16ec93992..f6ab29cd79ba63e60cabd2af0e8d2d7fa7ff39fa 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -191,7 +191,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
                {
                if(s->srp_ctx.login == NULL)
                        {
-                       /* There isn't any srp login extension !!! */
+                       /* RFC 5054 says SHOULD reject, 
+                          we do so if There is no srp login name */
                        ret = SSL3_AL_FATAL;
                        *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
                        }
@@ -379,6 +380,7 @@ int ssl3_accept(SSL *s)
                                }
                        }
 #endif         
+                       
                        s->renegotiate = 2;
                        s->state=SSL3_ST_SW_SRVR_HELLO_A;
                        s->init_num=0;
@@ -1356,6 +1358,14 @@ int ssl3_get_client_hello(SSL *s)
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_PASSED);
                        goto f_err;
                        }
+               /* Let cert callback update server certificates if required */
+               if (s->cert->cert_cb
+                       && s->cert->cert_cb(s, s->cert->cert_cb_arg) <= 0)
+                       {
+                       al=SSL_AD_INTERNAL_ERROR;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CERT_CB_ERROR);
+                       goto f_err;
+                       }
                ciphers=NULL;
                c=ssl3_choose_cipher(s,s->session->ciphers,
                                     SSL_get_ciphers(s));
@@ -1416,6 +1426,16 @@ int ssl3_get_client_hello(SSL *s)
         * s->tmp.new_cipher    - the new cipher to use.
         */
 
+       /* Handles TLS extensions that we couldn't check earlier */
+       if (s->version >= SSL3_VERSION)
+               {
+               if (ssl_check_clienthello_tlsext_late(s) <= 0)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+                       goto err;
+                       }
+               }
+
        if (ret < 0) ret=1;
        if (0)
                {
@@ -2057,7 +2077,7 @@ int ssl3_send_certificate_request(SSL *s)
 
                if (TLS1_get_version(s) >= TLS1_2_VERSION)
                        {
-                       nl = tls12_get_req_sig_algs(s, p + 2);
+                       nl = tls12_get_sig_algs(s, p + 2);
                        s2n(nl, p);
                        p += nl + 2;
                        n += nl + 2;
@@ -3330,7 +3350,7 @@ int ssl3_get_client_certificate(SSL *s)
                if (i <= 0)
                        {
                        al=ssl_verify_alarm_type(s->verify_result);
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
                        goto f_err;
                        }
                }
@@ -3667,6 +3687,8 @@ int tls1_send_server_supplemental_data(SSL *s)
 
                type = *(authz++);
                n2s(authz, len);
+               /* n2s increments authz by 2*/
+               i += 2;
 
                if (memchr(s->s3->tlsext_authz_client_types,
                           type,
@@ -3710,6 +3732,8 @@ int tls1_send_server_supplemental_data(SSL *s)
 
                type = *(authz++);
                n2s(authz, len);
+               /* n2s increments authz by 2 */
+               i += 2;
 
                if (memchr(s->s3->tlsext_authz_client_types,
                           type,