backport OCSP fix enhancement
authorDr. Stephen Henson <steve@openssl.org>
Fri, 5 Oct 2012 13:02:31 +0000 (13:02 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 5 Oct 2012 13:02:31 +0000 (13:02 +0000)
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/t1_lib.c

index 25e95fd..5980b85 100644 (file)
@@ -1943,7 +1943,7 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
        }
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(const SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
        {
        unsigned long alg,kalg;
        CERT *c;
@@ -1996,9 +1996,17 @@ X509 *ssl_get_server_send_cert(const SSL *s)
                SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
                return(NULL);
                }
-       if (c->pkeys[i].x509 == NULL) return(NULL);
 
-       return(c->pkeys[i].x509);
+       return c->pkeys + i;
+       }
+
+X509 *ssl_get_server_send_cert(const SSL *s)
+       {
+       CERT_PKEY *cpk;
+       cpk = ssl_get_server_send_pkey(s);
+       if (!cpk)
+               return NULL;
+       return cpk->x509;
        }
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
index b9a2543..9059b7d 100644 (file)
@@ -740,6 +740,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
 X509 *ssl_get_server_send_cert(const SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
index c4cd9cd..00b8286 100644 (file)
@@ -786,6 +786,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
        if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb)
                {
                int r;
+               CERT_PKEY *certpkey;
+               certpkey = ssl_get_server_send_pkey(s);
+               /* If no certificate can't return certificate status */
+               if (certpkey == NULL)
+                       {
+                       s->tlsext_status_expected = 0;
+                       return 1;
+                       }
+               /* Set current certificate to one we will use so
+                * SSL_get_certificate et al can pick it up.
+                */
+               s->cert->key = certpkey;
                r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
                switch (r)
                        {