Revise ssl code to use a CERT_PKEY structure when outputting a
certificate chain instead of an X509 structure.
This makes it easier to enhance code in future and the chain
output functions have access to the CERT_PKEY structure being
used.
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index ad2d1fc..b96e34f 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -992,13 +992,13 @@
return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
}
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk)
{
unsigned char *p;
unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH;
BUF_MEM *buf=s->init_buf;
- if (!ssl_add_cert_chain(s, x, &l))
+ if (!ssl_add_cert_chain(s, cpk, &l))
return 0;
l-= (3 + DTLS1_HM_HEADER_LENGTH);
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index bb1fd6a..299ffb3 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -1695,7 +1695,7 @@
{
s->state=SSL3_ST_CW_CERT_D;
l=dtls1_output_cert_chain(s,
- (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+ (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
s->init_num=(int)l;
s->init_off=0;
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 6af53b2..89f47ce 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -1570,12 +1570,12 @@
int dtls1_send_server_certificate(SSL *s)
{
unsigned long l;
- X509 *x;
+ CERT_PKEY *cpk;
if (s->state == SSL3_ST_SW_CERT_A)
{
- x=ssl_get_server_send_cert(s);
- if (x == NULL)
+ cpk=ssl_get_server_send_pkey(s);
+ if (cpk == NULL)
{
/* VRS: allow null cert if auth == KRB5 */
if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
@@ -1586,7 +1586,7 @@
}
}
- l=dtls1_output_cert_chain(s,x);
+ l=dtls1_output_cert_chain(s,cpk);
s->state=SSL3_ST_SW_CERT_B;
s->init_num=(int)l;
s->init_off=0;
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 153b2bf..11a9998 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -321,13 +321,13 @@
return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
}
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk)
{
unsigned char *p;
unsigned long l=7;
BUF_MEM *buf = s->init_buf;
- if (!ssl_add_cert_chain(s, x, &l))
+ if (!ssl_add_cert_chain(s, cpk, &l))
return 0;
l-=7;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 7a8b7f2..e7b477a 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -3177,7 +3177,7 @@
{
s->state=SSL3_ST_CW_CERT_D;
l=ssl3_output_cert_chain(s,
- (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+ (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
s->init_num=(int)l;
s->init_off=0;
}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a3343a5..b0c32bc 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -3362,12 +3362,12 @@
int ssl3_send_server_certificate(SSL *s)
{
unsigned long l;
- X509 *x;
+ CERT_PKEY *cpk;
if (s->state == SSL3_ST_SW_CERT_A)
{
- x=ssl_get_server_send_cert(s);
- if (x == NULL)
+ cpk=ssl_get_server_send_pkey(s);
+ if (cpk == NULL)
{
/* VRS: allow null cert if auth == KRB5 */
if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
@@ -3378,7 +3378,7 @@
}
}
- l=ssl3_output_cert_chain(s,x);
+ l=ssl3_output_cert_chain(s,cpk);
s->state=SSL3_ST_SW_CERT_B;
s->init_num=(int)l;
s->init_off=0;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index c1e7ec1..3ad1f49 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -873,12 +873,19 @@
}
/* Add certificate chain to internal SSL BUF_MEM strcuture */
-int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l)
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
{
BUF_MEM *buf = s->init_buf;
int no_chain;
int i;
+ X509 *x;
+
+ if (cpk)
+ x = cpk->x509;
+ else
+ x = NULL;
+
if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
no_chain = 1;
else
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9f29f3e..c1c825b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2292,7 +2292,7 @@
#endif
/* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
{
unsigned long alg_k,alg_a;
CERT *c;
@@ -2352,7 +2352,7 @@
}
if (c->pkeys[i].x509 == NULL) return(NULL);
- return(c->pkeys[i].x509);
+ return(&c->pkeys[i]);
}
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 25f5fd4..6660558 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -825,11 +825,11 @@
const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);
int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
-int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l);
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
int ssl_undefined_function(SSL *s);
int ssl_undefined_void_function(void);
int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
+CERT_PKEY *ssl_get_server_send_pkey(SSL *);
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
@@ -897,7 +897,7 @@
int ssl3_enc(SSL *s, int send_data);
int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
void ssl3_free_digest_list(SSL *s);
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
STACK_OF(SSL_CIPHER) *srvr);
int ssl3_setup_buffers(SSL *s);
@@ -951,7 +951,7 @@
int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk);
int dtls1_read_failed(SSL *s, int code);
int dtls1_buffer_message(SSL *s, int ccs);
int dtls1_retransmit_message(SSL *s, unsigned short seq,
