On 05.02.2014 14:05, Kaspar Brand wrote:
> On 03.02.2014 12:21, Dr Stephen Henson wrote:
>> On 02/02/2014 13:45, Kaspar Brand wrote:
>>> Yes, this sounds like a useful extension - not only for the issue at
>>> hand (i.e. SSL_CONF and stapling initialisation), but as a general
>>> mechanism for retrieving all certificates of an SSL_CTX.
>>>
>>
>> Added now. The API is slightly different, but easy enough to use.
>
> I have adapted the stapling init code in trunk to switch to this
> mechanism with r1564760 (just committed). Reviews appreciated, would
> afterwards propose for backport.
Steve, I just noticed that using SSL_CTX_set_current_cert became
broken with [1] and [2], respectively - SSL_CTX_get0_certificate
may now return bogus pointers (and we segfault when trying to
dereference them, worst case). Patch for ssl_cert.c attached.
Kaspar
[1]
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=358d352aa244b4f2ef655bccff6658d92d5ce03c
[2]
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3f5d3d93ac81c2866a739f1981d948e6aba1fde
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 830490e..aaa6e0a 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -664,7 +664,7 @@ int ssl_cert_set_current(CERT *c, long op)
return 0;
for (i = idx; i < SSL_PKEY_NUM; i++)
{
- CERT_PKEY *cpk = c->key + i;
+ CERT_PKEY *cpk = c->pkeys + i;
if (cpk->x509 && cpk->privatekey)
{
c->key = cpk;
