From 368888bcb6192b96638c3d6dd706103be52eac89 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sun, 1 Jun 2008 22:33:24 +0000
Subject: [PATCH] Add client cert engine to SSL routines.

---
 CHANGES        |  3 +++
 ssl/d1_clnt.c  |  3 +--
 ssl/s3_clnt.c  | 24 ++++++++++++++++++++++--
 ssl/ssl.h      |  7 +++++++
 ssl/ssl_locl.h |  1 +
 ssl/ssl_sess.c | 22 ++++++++++++++++++++++
 6 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9aac3ebff7..c5c50787cd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 0.9.8g and 0.9.9  [xx XXX xxxx]
 
+  *) Expand ENGINE to support engine supplied SSL client certificate functions.
+     [Steve Henson]
+
   *) Revamp of LHASH to provide stronger type-checking. Still to come:
      STACK, TXT_DB, bsearch, qsort.
      [Ben Laurie]
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 322c017f76..f4e9df9810 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -1096,8 +1096,7 @@ int dtls1_send_client_certificate(SSL *s)
 		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
 		 * We then get retied later */
 		i=0;
-		if (s->ctx->client_cert_cb != NULL)
-			i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+		i = ssl_do_client_cert_cb(s, &x509, &pkey);
 		if (i < 0)
 			{
 			s->rwstate=SSL_X509_LOOKUP;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 23875f00e0..8f96120d2e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -160,6 +160,9 @@
 #include <openssl/dh.h>
 #endif
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 static const SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
@@ -2723,8 +2726,7 @@ int ssl3_send_client_certificate(SSL *s)
 		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
 		 * We then get retied later */
 		i=0;
-		if (s->ctx->client_cert_cb != NULL)
-			i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+		i = ssl_do_client_cert_cb(s, &x509, &pkey);
 		if (i < 0)
 			{
 			s->rwstate=SSL_X509_LOOKUP;
@@ -2948,3 +2950,21 @@ static int ssl3_check_finished(SSL *s)
 	return 1;
 	}
 #endif
+
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
+	{
+	int i = 0;
+#ifndef OPENSSL_NO_ENGINE
+	if (s->ctx->client_cert_engine)
+		{
+		i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
+						SSL_get_client_CA_list(s),
+						px509, ppkey, NULL, NULL);
+		if (i != 0)
+			return i;
+		}
+#endif
+	if (s->ctx->client_cert_cb)
+		i = s->ctx->client_cert_cb(s,px509,ppkey);
+	return i;
+	}
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 3c1b74aa4b..6adf11d7a7 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -798,6 +798,12 @@ struct ssl_ctx_st
 	 */
 	unsigned int max_send_fragment;
 
+#ifndef OPENSSL_ENGINE
+	/* Engine to pass requests for client certs to
+	 */
+	ENGINE *client_cert_engine;
+#endif
+
 #ifndef OPENSSL_NO_TLSEXT
 	/* TLS extensions servername callback */
 	int (*tlsext_servername_callback)(SSL*, int *, void *);
@@ -879,6 +885,7 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,
 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
 
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index a65071a47a..55b23304c1 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -927,6 +927,7 @@ int ssl3_get_cert_status(SSL *s);
 int ssl3_get_server_done(SSL *s);
 int ssl3_send_client_verify(SSL *s);
 int ssl3_send_client_certificate(SSL *s);
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
 int ssl3_send_client_key_exchange(SSL *s);
 int ssl3_get_key_exchange(SSL *s);
 int ssl3_get_server_certificate(SSL *s);
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 33d302aa41..12cc486b1b 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -138,6 +138,9 @@
 #include <stdio.h>
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 #include "ssl_locl.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -998,6 +1001,25 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK
 	return ctx->client_cert_cb;
 	}
 
+#ifndef OPENSSL_NO_ENGINE
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
+	{
+	if (!ENGINE_init(e))
+		{
+		SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
+		return 0;
+		}
+	if(!ENGINE_get_ssl_client_cert_function(e))
+		{
+		SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
+		ENGINE_finish(e);
+		return 0;
+		}
+	ctx->client_cert_engine = e;
+	return 1;
+	}
+#endif
+
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
 	int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
 	{
-- 
GitLab