Option to set current cert to server certificate.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 21 Feb 2014 19:42:03 +0000 (19:42 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 21 Feb 2014 19:44:09 +0000 (19:44 +0000)
doc/ssl/SSL_CTX_add1_chain_cert.pod
ssl/s3_lib.c
ssl/ssl.h
ssl/ssl_lib.c

index 4e5a46d..e294afe 100644 (file)
@@ -77,6 +77,14 @@ the first valid certificate or B<SSL_CERT_SET_NEXT> to set the next valid
 certificate after the current certificate. These two operations can be
 used to iterate over all certificates in an B<SSL_CTX> structure.
 
+SSL_set_current_cert() also supports the option B<SSL_CERT_SET_SERVER>.
+If B<ssl> is a server and has sent a certificate to a connected client
+this option sets that certificate to the current certificate and returns 1.
+If the negotiated ciphersuite is anonymous (and thus no certificate will
+be sent) 2 is returned and the current certificate is unchanged. If B<ssl>
+is not a server or a certificate has not been sent 0 is returned and
+the current certificate is unchanged.
+
 All these functions are implemented as macros. Those containing a B<1>
 increment the reference count of the supplied certificate or chain so it must
 be freed at some point after the operation. Those containing a B<0> do
index 4531f46..5a1b80b 100644 (file)
@@ -3432,6 +3432,24 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                return ssl_cert_select_current(s->cert, (X509 *)parg);
 
        case SSL_CTRL_SET_CURRENT_CERT:
+               if (larg == SSL_CERT_SET_SERVER)
+                       {
+                       CERT_PKEY *cpk;
+                       const SSL_CIPHER *cipher;
+                       if (!s->server)
+                               return 0;
+                       cipher = s->s3->tmp.new_cipher;
+                       if (!cipher)
+                               return 0;
+                       /* No certificate for unauthenticated ciphersuites */
+                       if (cipher->algorithm_auth & SSL_aNULL)
+                               return 2;
+                       cpk = ssl_get_server_send_pkey(s);
+                       if (!cpk)
+                               return 0;
+                       s->cert->key = cpk;
+                       return 1;
+                       }
                return ssl_cert_set_current(s->cert, larg);
 
 #ifndef OPENSSL_NO_EC
index 2c3a9a3..2b87710 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1949,6 +1949,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 
 #define SSL_CERT_SET_FIRST                     1
 #define SSL_CERT_SET_NEXT                      2
+#define SSL_CERT_SET_SERVER                    3
 
 #define DTLSv1_get_timeout(ssl, arg) \
        SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
index d47f268..eeed24d 100644 (file)
@@ -2635,6 +2635,8 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
        int i;
 
        c = s->cert;
+       if (!s->s3 || !s->s3->tmp.new_cipher)
+               return NULL;
        ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
 
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL