From: Dr. Stephen Henson Date: Tue, 11 Sep 2012 13:35:14 +0000 (+0000) Subject: Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate X-Git-Tag: OpenSSL_1_0_2-beta1~580 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dc144417571735c82853421a8845ef603d828a0b;p=openssl Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate change the current certificate (in s->cert->key) to the one used and then SSL_get_certificate and SSL_get_privatekey will automatically work. --- diff --git a/CHANGES b/CHANGES index f84f028d10..3c61e39919 100644 --- a/CHANGES +++ b/CHANGES @@ -5,8 +5,8 @@ Changes between 1.0.1 and 1.0.2 [xx XXX xxxx] *) Call OCSP Stapling callback after ciphersuite has been chosen, so - the right response is stapled. Also change SSL_get_certificate() - so it returns the certificate actually sent. + the right response is stapled. Also change current certificate to + the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836. [Rob Stradling ] diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 555a630b1b..5206fd8686 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2840,14 +2840,6 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { - if (s->server) - { - CERT_PKEY *certpkey; - certpkey = ssl_get_server_send_pkey(s); - if (certpkey && certpkey->x509) - return certpkey->x509; - } - if (s->cert != NULL) return(s->cert->key->x509); else diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index d0764e8cd3..a438321a41 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2355,6 +2355,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s) if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { int r; + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + /* If no certificate can't return certificate status */ + if (certpkey == NULL) + { + s->tlsext_status_expected = 0; + return 1; + } + /* Set current certificate to one we will use so + * SSL_get_certificate et al can pick it up. + */ + s->cert->key = certpkey; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); switch (r) {