diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-06-29 14:24:42 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-06-29 14:24:42 +0000 |
commit | 18d7158809c9722f4c6d2a8af7513577274f9b56 (patch) | |
tree | 21cf503b096928ae887c28b997622eb4ee6bfd70 /ssl/ssl_locl.h | |
parent | 0f39bab0df4109bab7effc7428e1d759f36d8642 (diff) | |
download | openssl-new-18d7158809c9722f4c6d2a8af7513577274f9b56.tar.gz |
Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
Diffstat (limited to 'ssl/ssl_locl.h')
-rw-r--r-- | ssl/ssl_locl.h | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index c2547ad47f..17bbbf5af4 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -550,6 +550,16 @@ typedef struct cert_st TLS_SIGALGS *shared_sigalgs; size_t shared_sigalgslen; + /* Certificate setup callback: if set is called whenever a + * certificate may be required (client or server). the callback + * can then examine any appropriate parameters and setup any + * certificates required. This allows advanced applications + * to select certificates on the fly: for example based on + * supported signature algorithms or curves. + */ + int (*cert_cb)(SSL *ssl, void *arg); + void *cert_cb_arg; + int references; /* >1 only if SSL_copy_session_id is used */ } CERT; @@ -888,6 +898,7 @@ int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain); int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain); int ssl_cert_add0_chain_cert(CERT *c, X509 *x); int ssl_cert_add1_chain_cert(CERT *c, X509 *x); +void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg); int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l); |