Emulate the client_cert_cb with cert_cb. This avoids needing a extra state around client certificates to avoid calling the callbacks twice. This does, however, come with a behavior change: configuring both callbacks won't work. No consumer does this. (Except bssl_shim which needed slight tweaks.) Change-Id: Ia5426ed2620e40eecdcf352216c4a46764e31a9a Reviewed-on: https://boringssl-review.googlesource.com/12690 Reviewed-by: Adam Langley <agl@google.com>

commit: 5edfc8cc170abd47a3da6184546db0b791a3e9e5 [log] [tgz]
author: David Benjamin <davidben@google.com> Sat Dec 10 15:46:58 2016 -0500
committer: Adam Langley <agl@google.com> Mon Dec 12 21:58:24 2016 +0000
tree: a7f625a35467a73a49025640f5f9e9d7b0e23e56
parent: 5888946777265ca06726961f7fc9b7faf4effcab [diff] [blame]
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 8b59ea5..b123b34 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -3460,7 +3460,8 @@
  * |SSL_get_client_CA_list| for information on the server's certificate request.
  *
  * Use |SSL_CTX_set_cert_cb| instead. Configuring intermediate certificates with
- * this function is confusing. */
+ * this function is confusing. This callback may not be registered concurrently
+ * with |SSL_CTX_set_cert_cb| or |SSL_set_cert_cb|. */
 OPENSSL_EXPORT void SSL_CTX_set_client_cert_cb(
     SSL_CTX *ctx,
     int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey));
commit	5edfc8cc170abd47a3da6184546db0b791a3e9e5	[log] [tgz]
author	David Benjamin <davidben@google.com>	Sat Dec 10 15:46:58 2016 -0500
committer	Adam Langley <agl@google.com>	Mon Dec 12 21:58:24 2016 +0000
tree	a7f625a35467a73a49025640f5f9e9d7b0e23e56
parent	5888946777265ca06726961f7fc9b7faf4effcab [diff] [blame]