diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 984895f2f..6bd31c2de 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2287,7 +2287,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif /* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(const SSL *s) +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) { unsigned long alg_k,alg_a; CERT *c; @@ -2345,9 +2345,17 @@ X509 *ssl_get_server_send_cert(const SSL *s) SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); return(NULL); } - if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); + return c->pkeys + i; + } + +X509 *ssl_get_server_send_cert(const SSL *s) + { + CERT_PKEY *cpk; + cpk = ssl_get_server_send_pkey(s); + if (!cpk) + return NULL; + return cpk->x509; } EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 1fab632dd..0572e1029 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -830,6 +830,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); X509 *ssl_get_server_send_cert(const SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index dc5be972d..28eec4456 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1871,6 +1871,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s) if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { int r; + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + /* If no certificate can't return certificate status */ + if (certpkey == NULL) + { + s->tlsext_status_expected = 0; + return 1; + } + /* Set current certificate to one we will use so + * SSL_get_certificate et al can pick it up. + */ + s->cert->key = certpkey; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); switch (r) {