From e5db9c3b67deb80e274f66e3832a9cfba931670c Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 11 Sep 2012 13:34:08 +0000
Subject: [PATCH] Minor enhancement to PR#2836 fix. Instead of modifying
 SSL_get_certificate change the current certificate (in s->cert->key) to the
 one used and then SSL_get_certificate and SSL_get_privatekey will
 automatically work.

---
 CHANGES       |  4 ++--
 ssl/ssl_lib.c |  8 --------
 ssl/t1_lib.c  | 12 ++++++++++++
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9cb17781ab..3dda962cbe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -347,8 +347,8 @@
  Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
 
   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
-     the right response is stapled. Also change SSL_get_certificate()
-     so it returns the certificate actually sent.
+     the right response is stapled. Also change current certificate to
+     the certificate actually sent.
      See http://rt.openssl.org/Ticket/Display.html?id=2836.
      [Rob Stradling <rob.stradling@comodo.com>]
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5a639c1f49..0efb961f01 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2833,14 +2833,6 @@ void ssl_clear_cipher_ctx(SSL *s)
 /* Fix this function so that it takes an optional type parameter */
 X509 *SSL_get_certificate(const SSL *s)
 	{
-	if (s->server)
-		{
-		CERT_PKEY *certpkey;
-		certpkey = ssl_get_server_send_pkey(s);
-		if (certpkey && certpkey->x509)
-			return certpkey->x509;
-		}
-
 	if (s->cert != NULL)
 		return(s->cert->key->x509);
 	else
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 254221bcf9..31b3bd75c7 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2755,6 +2755,18 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
 	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
 		{
 		int r;
+		CERT_PKEY *certpkey;
+		certpkey = ssl_get_server_send_pkey(s);
+		/* If no certificate can't return certificate status */
+		if (certpkey == NULL)
+			{
+			s->tlsext_status_expected = 0;
+			return 1;
+			}
+		/* Set current certificate to one we will use so
+		 * SSL_get_certificate et al can pick it up.
+		 */
+		s->cert->key = certpkey;
 		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
 		switch (r)
 			{
-- 
2.25.1