Backport: Revise ssl code to use CERT_PKEY structure when outputting a certificate chain (from HEAD)

ssl/d1_both.c

@@ -992,13 +992,13 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
 	return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
 	}
 
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk)
 	{
 	unsigned char *p;
 	unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH;
 	BUF_MEM *buf=s->init_buf;
 
-	if (!ssl_add_cert_chain(s, x, &l))
+	if (!ssl_add_cert_chain(s, cpk, &l))
 		return 0;
 
 	l-= (3 + DTLS1_HM_HEADER_LENGTH);

ssl/d1_clnt.c

@@ -1694,7 +1694,7 @@ int dtls1_send_client_certificate(SSL *s)
 		{
 		s->state=SSL3_ST_CW_CERT_D;
 		l=dtls1_output_cert_chain(s,
-			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
 		s->init_num=(int)l;
 		s->init_off=0;
 

ssl/d1_srvr.c

@@ -1569,12 +1569,12 @@ err:
 int dtls1_send_server_certificate(SSL *s)
 	{
 	unsigned long l;
-	X509 *x;
+	CERT_PKEY *cpk;
 
 	if (s->state == SSL3_ST_SW_CERT_A)
 		{
-		x=ssl_get_server_send_cert(s);
-		if (x == NULL)
+		cpk=ssl_get_server_send_pkey(s);
+		if (cpk == NULL)
 			{
 			/* VRS: allow null cert if auth == KRB5 */
 			if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
@@ -1585,7 +1585,7 @@ int dtls1_send_server_certificate(SSL *s)
 				}
 			}
 
-		l=dtls1_output_cert_chain(s,x);
+		l=dtls1_output_cert_chain(s,cpk);
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;

ssl/s3_both.c

@@ -319,13 +319,13 @@ int ssl3_send_change_cipher_spec(SSL *s, int a, int b)
 	return(ssl3_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
 	}
 
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk)
 	{
 	unsigned char *p;
 	unsigned long l=7;
 	BUF_MEM *buf = s->init_buf;
 
-	if (!ssl_add_cert_chain(s, x, &l))
+	if (!ssl_add_cert_chain(s, cpk, &l))
 		return 0;
 
 	l-=7;

ssl/s3_clnt.c

@@ -3211,7 +3211,7 @@ int ssl3_send_client_certificate(SSL *s)
 		{
 		s->state=SSL3_ST_CW_CERT_D;
 		l=ssl3_output_cert_chain(s,
-			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
+			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
 		s->init_num=(int)l;
 		s->init_off=0;
 		}

ssl/s3_srvr.c

@@ -3351,12 +3351,12 @@ err:
 int ssl3_send_server_certificate(SSL *s)
 	{
 	unsigned long l;
-	X509 *x;
+	CERT_PKEY *cpk;
 
 	if (s->state == SSL3_ST_SW_CERT_A)
 		{
-		x=ssl_get_server_send_cert(s);
-		if (x == NULL)
+		cpk=ssl_get_server_send_pkey(s);
+		if (cpk == NULL)
 			{
 			/* VRS: allow null cert if auth == KRB5 */
 			if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
@@ -3367,7 +3367,7 @@ int ssl3_send_server_certificate(SSL *s)
 				}
 			}
 
-		l=ssl3_output_cert_chain(s,x);
+		l=ssl3_output_cert_chain(s,cpk);
 		s->state=SSL3_ST_SW_CERT_B;
 		s->init_num=(int)l;
 		s->init_off=0;

ssl/ssl_cert.c

@@ -873,12 +873,19 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
 	}
 
 /* Add certificate chain to internal SSL BUF_MEM strcuture */
-int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l)
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l)
 	{
 	BUF_MEM *buf = s->init_buf;
 	int no_chain;
 	int i;
 
+	X509 *x;
+
+	if (cpk)
+		x = cpk->x509;
+	else
+		x = NULL;
+
 	if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
 		no_chain = 1;
 	else

ssl/ssl_lib.c

@@ -2290,7 +2290,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 #endif
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
 	{
 	unsigned long alg_k,alg_a;
 	CERT *c;
@@ -2350,7 +2350,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
 		}
 	if (c->pkeys[i].x509 == NULL) return(NULL);
 
-	return(c->pkeys[i].x509);
+	return(&c->pkeys[i]);
 	}
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)

ssl/ssl_locl.h

@@ -827,11 +827,11 @@ int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
 		       const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size, SSL_COMP **comp);
 int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);			   
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
-int ssl_add_cert_chain(SSL *s, X509 *x, unsigned long *l);
+int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
+CERT_PKEY *ssl_get_server_send_pkey(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
@@ -899,7 +899,7 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
 int ssl3_enc(SSL *s, int send_data);
 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
 void ssl3_free_digest_list(SSL *s);
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
+unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
 			       STACK_OF(SSL_CIPHER) *srvr);
 int	ssl3_setup_buffers(SSL *s);
@@ -953,7 +953,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
 
 int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
+unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 int dtls1_read_failed(SSL *s, int code);
 int dtls1_buffer_message(SSL *s, int ccs);
 int dtls1_retransmit_message(SSL *s, unsigned short seq,