Revise ssl code to use a CERT_PKEY structure when outputting a

certificate chain instead of an X509 structure.

This makes it easier to enhance code in future and the chain
output functions have access to the CERT_PKEY structure being
used.

9 files changed, 28 insertions, 21 deletions

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index ad2d1fcc9..b96e34f2e 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -992,13 +992,13 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
 	return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
 	}
 
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk)
 	{
 	unsigned char *p;
 	unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH;
 	BUF_MEM *buf=s->init_buf;
 
-	if (!ssl_add_cert_chain(s, x, &l))
+	if (!ssl_add_cert_chain(s, cpk, &l))
 		return 0;
 
 	l-= (3 + DTLS1_HM_HEADER_LENGTH);
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index bb1fd6ac0..299ffb39b 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -1695,7 +1695,7 @@ int dtls1_send_client_certificate(SSL *s)
 		{
 		s->state=SSL3_ST_CW_CERT_D;
 		l=dtls1_output_cert_chain(s,
-			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
 		s->init_num=(int)l;
 		s->init_off=0;
 
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 6af53b2ff..89f47ce97 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -1570,12 +1570,12 @@ err:
 int dtls1_send_server_certificate(SSL *s)
 	{
 	unsigned long l;
-	X509 *x;
+	CERT_PKEY *cpk;
 
 	if (s->state == SSL3_ST_SW_CERT_A)
 		{
-		x=ssl_get_server_send_cert(s);
-		if (x == NULL)
+		cpk=ssl_get_server_send_pkey(s);
+		if (cpk == NULL)
 			{
 			/* VRS: allow null cert if auth == KRB5 */
 			if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
@@ -1586,7 +1586,7 @@ int dtls1_send_server_certificate(SSL *s)
 				}
 			}
 
-		l=dtls1_output_cert_chain(s,x);
+		l=dtls1_output_cert_chain(s,cpk);
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 153b2bfc7..11a9998c5 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -321,13 +321,13 @@ int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
 	return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
 	}
 
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk)
 	{
 	unsigned char *p;
 	unsigned long l=7;
 	BUF_MEM *buf = s->init_buf;
 
-	if (!ssl_add_cert_chain(s, x, &l))
+	if (!ssl_add_cert_chain(s, cpk, &l))
 		return 0;
 
 	l-=7;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 7a8b7f27d..e7b477a5e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3177,7 +3177,7 @@ int ssl3_send_client_certificate(SSL *s)
 		{
 		s->state=SSL3_ST_CW_CERT_D;
 		l=ssl3_output_cert_chain(s,
-			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
 		s->init_num=(int)l;
 		s->init_off=0;
 		}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a3343a562..b0c32bcc0 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3362,12 +3362,12 @@ err:
 int ssl3_send_server_certificate(SSL *s)
 	{
 	unsigned long l;
-	X509 *x;
+	CERT_PKEY *cpk;
 
 	if (s->state == SSL3_ST_SW_CERT_A)
 		{
-		x=ssl_get_server_send_cert(s);
-		if (x == NULL)
+		cpk=ssl_get_server_send_pkey(s);
+		if (cpk == NULL)
 			{
 			/* VRS: allow null cert if auth == KRB5 */
 			if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
@@ -3378,7 +3378,7 @@ int ssl3_send_server_certificate(SSL *s)
 				}
 			}
 
-		l=ssl3_output_cert_chain(s,x);
+		l=ssl3_output_cert_chain(s,cpk);
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index c1e7ec1b7..3ad1f4947 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -873,12 +873,19 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
 	}
 
 /* Add certificate chain to internal SSL BUF_MEM strcuture */
-int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l)
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
 	{
 	BUF_MEM *buf = s->init_buf;
 	int no_chain;
 	int i;
 
+	X509 *x;
+
+	if (cpk)
+		x = cpk->x509;
+	else
+		x = NULL;
+
 	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
 		no_chain = 1;
 	else
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9f29f3e10..c1c825b53 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2292,7 +2292,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 #endif
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
 	{
 	unsigned long alg_k,alg_a;
 	CERT *c;
@@ -2352,7 +2352,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
 		}
 	if (c->pkeys[i].x509 == NULL) return(NULL);
 
-	return(c->pkeys[i].x509);
+	return(&c->pkeys[i]);
 	}
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 25f5fd49f..66605586a 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -825,11 +825,11 @@ int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
 		       const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
 int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);			   
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
-int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l);
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
+CERT_PKEY *ssl_get_server_send_pkey(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
@@ -897,7 +897,7 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
 int ssl3_enc(SSL *s, int send_data);
 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
 void ssl3_free_digest_list(SSL *s);
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
 			       STACK_OF(SSL_CIPHER) *srvr);
 int	ssl3_setup_buffers(SSL *s);
@@ -951,7 +951,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
 
 int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 int dtls1_read_failed(SSL *s, int code);
 int dtls1_buffer_message(SSL *s, int ccs);
 int dtls1_retransmit_message(SSL *s, unsigned short seq,