Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate

change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.

diff --git a/CHANGES b/CHANGES
index f84f028d10e3ad326e5098f3d213f78c3effbce7..3c61e39919a3e93a734acd02f4b0ac8567d9ed0b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,8 +5,8 @@
  Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
 
   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
-     the right response is stapled. Also change SSL_get_certificate()
-     so it returns the certificate actually sent.
+     the right response is stapled. Also change current certificate to
+     the certificate actually sent.
      See http://rt.openssl.org/Ticket/Display.html?id=2836.
      [Rob Stradling <rob.stradling@comodo.com>]
 

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 555a630b1ba8da6e316c2e2ed5b6111c37135e8b..5206fd868681310dde72050ab3005cfa1e972da7 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2840,14 +2840,6 @@ void ssl_clear_cipher_ctx(SSL *s)
 /* Fix this function so that it takes an optional type parameter */
 X509 *SSL_get_certificate(const SSL *s)
        {
-       if (s->server)
-               {
-               CERT_PKEY *certpkey;
-               certpkey = ssl_get_server_send_pkey(s);
-               if (certpkey && certpkey->x509)
-                       return certpkey->x509;
-               }
-
        if (s->cert != NULL)
                return(s->cert->key->x509);
        else

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d0764e8cd329a16137b92dfc8728230af7efe779..a438321a41e0298c5fa2ec750349eea34b1cd2b9 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2355,6 +2355,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
        if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
                {
                int r;
+               CERT_PKEY *certpkey;
+               certpkey = ssl_get_server_send_pkey(s);
+               /* If no certificate can't return certificate status */
+               if (certpkey == NULL)
+                       {
+                       s->tlsext_status_expected = 0;
+                       return 1;
+                       }
+               /* Set current certificate to one we will use so
+                * SSL_get_certificate et al can pick it up.
+                */
+               s->cert->key = certpkey;
                r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
                switch (r)
                        {