Add certificate callback. If set this is called whenever a certificate is required by client or server. An application can decide which certificate chain to present based on arbitrary criteria: for example supported signature algorithms. Add very simple example to s_server. This fixes many of the problems and restrictions of the existing client certificate callback: for example you can now clear existing certificates and specify the whole chain.

commit: 18d7158809c9722f4c6d2a8af7513577274f9b56 [log] [tgz]
author: Dr. Stephen Henson <steve@openssl.org> Fri Jun 29 14:24:42 2012 +0000
committer: Dr. Stephen Henson <steve@openssl.org> Fri Jun 29 14:24:42 2012 +0000
tree: 21cf503b096928ae887c28b997622eb4ee6bfd70
parent: 0f39bab0df4109bab7effc7428e1d759f36d8642 [diff] [blame]
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index c51f3d0..8d7bcfe 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c

@@ -3180,6 +3180,13 @@
 
 	if (s->state ==	SSL3_ST_CW_CERT_A)
 		{
+		/* Let cert callback update client certificates if required */
+		if (s->cert->cert_cb
+			&& s->cert->cert_cb(s, s->cert->cert_cb_arg) <= 0)
+			{
+			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+			return 0;
+			}
 		if (ssl3_check_client_certificate(s))
 			s->state=SSL3_ST_CW_CERT_C;
 		else
commit	18d7158809c9722f4c6d2a8af7513577274f9b56	[log] [tgz]
author	Dr. Stephen Henson <steve@openssl.org>	Fri Jun 29 14:24:42 2012 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	Fri Jun 29 14:24:42 2012 +0000
tree	21cf503b096928ae887c28b997622eb4ee6bfd70
parent	0f39bab0df4109bab7effc7428e1d759f36d8642 [diff] [blame]