backport OCSP fix enhancement

author Dr. Stephen Henson <steve@openssl.org>

Fri, 5 Oct 2012 13:00:18 +0000 (13:00 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 5 Oct 2012 13:00:18 +0000 (13:00 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 5 Oct 2012 13:00:18 +0000 (13:00 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 5 Oct 2012 13:00:18 +0000 (13:00 +0000)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index 15a7e7eb22bb2e428a27b365df5664bbe2d1e754..f7ed6e342623699aab829eb6bea54aca58bdf736 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2107,7 +2107,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
  #endif
  
  /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(const SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
         {
         unsigned long alg_k,alg_a;
         CERT *c;
@@ -2165,9 +2165,17 @@ X509 *ssl_get_server_send_cert(const SSL *s)
                 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
                 return(NULL);
                 }
-       if (c->pkeys[i].x509 == NULL) return(NULL);
  
-       return(c->pkeys[i].x509);
+       return c->pkeys + i;
+       }
+
+X509 *ssl_get_server_send_cert(const SSL *s)
+       {
+       CERT_PKEY *cpk;
+       cpk = ssl_get_server_send_pkey(s);
+       if (!cpk)
+               return NULL;
+       return cpk->x509;
         }
  
  EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h

index 3d49c8322fed367131c6bae2d29e7023d2fab891..7cf1d19dde786eefe4576f3007fe50b2dc593942 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -808,6 +808,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
  int ssl_undefined_function(SSL *s);
  int ssl_undefined_void_function(void);
  int ssl_undefined_const_function(const SSL *s);
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
  X509 *ssl_get_server_send_cert(const SSL *);
  EVP_PKEY *ssl_get_sign_pkey(SSL *,const SSL_CIPHER *);
  int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index c6b019693b554357d2eb233fd1c2b5ea5939fc7c..eb5c0c5f53817bf4d2dd76a952837677d9c8d115 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1441,6 +1441,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
         if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb)
                 {
                 int r;
+               CERT_PKEY *certpkey;
+               certpkey = ssl_get_server_send_pkey(s);
+               /* If no certificate can't return certificate status */
+               if (certpkey == NULL)
+                       {
+                       s->tlsext_status_expected = 0;
+                       return 1;
+                       }
+               /* Set current certificate to one we will use so
+                * SSL_get_certificate et al can pick it up.
+                */
+               s->cert->key = certpkey;
                 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
                 switch (r)
                         {
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 5 Oct 2012 13:00:18 +0000 (13:00 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 5 Oct 2012 13:00:18 +0000 (13:00 +0000)
ssl/ssl_lib.c		patch \| blob \| history
ssl/ssl_locl.h		patch \| blob \| history
ssl/t1_lib.c		patch \| blob \| history