diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-10-05 13:02:31 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-10-05 13:02:31 +0000 |
| commit | 71a2440ee59567edea2cf14c000f3ca9e933953c (patch) | |
| tree | 0667bcc2d242159161de93012241adc4e2a5ed2d | |
| parent | 04e40739f75de96e601c694b723a4503b3895645 (diff) | |
| download | openssl-new-71a2440ee59567edea2cf14c000f3ca9e933953c.tar.gz | |
backport OCSP fix enhancement
| -rw-r--r-- | ssl/ssl_lib.c | 14 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 1 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 12 |
3 files changed, 24 insertions, 3 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 25e95fd9d2..5980b852e0 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1943,7 +1943,7 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs) } /* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(const SSL *s) +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) { unsigned long alg,kalg; CERT *c; @@ -1996,9 +1996,17 @@ X509 *ssl_get_server_send_cert(const SSL *s) SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); return(NULL); } - if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); + return c->pkeys + i; + } + +X509 *ssl_get_server_send_cert(const SSL *s) + { + CERT_PKEY *cpk; + cpk = ssl_get_server_send_pkey(s); + if (!cpk) + return NULL; + return cpk->x509; } EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index b9a2543bf2..9059b7d6e7 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -740,6 +740,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); X509 *ssl_get_server_send_cert(const SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index c4cd9cd5f0..00b8286acb 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -786,6 +786,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s) if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) { int r; + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + /* If no certificate can't return certificate status */ + if (certpkey == NULL) + { + s->tlsext_status_expected = 0; + return 1; + } + /* Set current certificate to one we will use so + * SSL_get_certificate et al can pick it up. + */ + s->cert->key = certpkey; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); switch (r) { |