X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=14634e2406384efe0fda0bb3a87298513211a665;hp=a61cd1f0dc1179444e7f589ec4d076089270a884;hb=e27711cfddb15b3bd0c42c804d37ea0f33a3e4e5;hpb=060a38a2c06145df02d04af20e31bacf30f192e2 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a61cd1f0dc..14634e2406 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -176,7 +176,10 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={ 0, /* client_finished_label_len */ NULL, /* server_finished_label */ 0, /* server_finished_label_len */ - (int (*)(int))ssl_undefined_function + (int (*)(int))ssl_undefined_function, + (int (*)(SSL *, unsigned char *, size_t, const char *, + size_t, const unsigned char *, size_t, + int use_context)) ssl_undefined_function, }; int SSL_clear(SSL *s) @@ -260,7 +263,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx,const SSL_METHOD *meth) sk=ssl_create_cipher_list(ctx->method,&(ctx->cipher_list), &(ctx->cipher_list_by_id), - meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST); + meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST, ctx->cert); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); @@ -353,6 +356,28 @@ SSL *SSL_new(SSL_CTX *ctx) s->tlsext_ocsp_resplen = -1; CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); s->initial_ctx=ctx; +#ifndef OPENSSL_NO_EC + if (ctx->tlsext_ecpointformatlist) + { + s->tlsext_ecpointformatlist = + BUF_memdup(ctx->tlsext_ecpointformatlist, + ctx->tlsext_ecpointformatlist_length); + if (!s->tlsext_ecpointformatlist) + goto err; + s->tlsext_ecpointformatlist_length = + ctx->tlsext_ecpointformatlist_length; + } + if (ctx->tlsext_ellipticcurvelist) + { + s->tlsext_ellipticcurvelist = + BUF_memdup(ctx->tlsext_ellipticcurvelist, + ctx->tlsext_ellipticcurvelist_length); + if (!s->tlsext_ellipticcurvelist) + goto err; + s->tlsext_ellipticcurvelist_length = + ctx->tlsext_ellipticcurvelist_length; + } +#endif # ifndef OPENSSL_NO_NEXTPROTONEG s->next_proto_negotiated = NULL; # endif @@ -499,6 +524,11 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) return X509_VERIFY_PARAM_set1(ssl->param, vpm); } +void SSL_certs_clear(SSL *s) + { + ssl_cert_clear_certs(s->cert); + } + void SSL_free(SSL *s) { int i; @@ -597,6 +627,11 @@ void SSL_free(SSL *s) if (s->srtp_profiles) sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); +#ifndef OPENSSL_NO_DANE + if (s->tlsa_record && s->tlsa_record!=(void *)-1) + OPENSSL_free(s->tlsa_record); +#endif + OPENSSL_free(s); } @@ -1076,8 +1111,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) s->max_cert_list=larg; return(l); case SSL_CTRL_SET_MTU: +#ifndef OPENSSL_NO_DTLS1 if (larg < (long)dtls1_min_mtu()) return 0; +#endif if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) @@ -1095,6 +1132,29 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) if (s->s3) return s->s3->send_connection_binding; else return 0; + case SSL_CTRL_CERT_FLAGS: + return(s->cert->cert_flags|=larg); + case SSL_CTRL_CLEAR_CERT_FLAGS: + return(s->cert->cert_flags &=~larg); + + case SSL_CTRL_GET_RAW_CIPHERLIST: + if (parg) + { + if (s->cert->ciphers_raw == NULL) + return 0; + *(unsigned char **)parg = s->cert->ciphers_raw; + return (int)s->cert->ciphers_rawlen; + } + else + return ssl_put_cipher_by_char(s,NULL,NULL); +#ifndef OPENSSL_NO_DANE + case SSL_CTRL_PULL_TLSA_RECORD: + parg = SSL_get_tlsa_record_byname (parg,larg,s->version<0xF000?1:0); + /* yes, fall through */ + case SSL_CTRL_SET_TLSA_RECORD: + s->tlsa_record = parg; + return 1; +#endif default: return(s->method->ssl_ctrl(s,cmd,larg,parg)); } @@ -1121,6 +1181,20 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) { long l; + /* For some cases with ctx == NULL perform syntax checks */ + if (ctx == NULL) + { + switch (cmd) + { + case SSL_CTRL_SET_CURVES_LIST: + return tls1_set_curves_list(NULL, NULL, parg); + case SSL_CTRL_SET_SIGALGS_LIST: + case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: + return tls1_set_sigalgs_list(NULL, parg, 0); + default: + return 0; + } + } switch (cmd) { @@ -1192,6 +1266,10 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) return 0; ctx->max_send_fragment = larg; return 1; + case SSL_CTRL_CERT_FLAGS: + return(ctx->cert->cert_flags|=larg); + case SSL_CTRL_CLEAR_CERT_FLAGS: + return(ctx->cert->cert_flags &=~larg); default: return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); } @@ -1292,7 +1370,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) STACK_OF(SSL_CIPHER) *sk; sk=ssl_create_cipher_list(ctx->method,&ctx->cipher_list, - &ctx->cipher_list_by_id,str); + &ctx->cipher_list_by_id,str, ctx->cert); /* ssl_create_cipher_list may return an empty stack if it * was unable to find a cipher matching the given rule string * (for example if the rule string specifies a cipher which @@ -1316,7 +1394,7 @@ int SSL_set_cipher_list(SSL *s,const char *str) STACK_OF(SSL_CIPHER) *sk; sk=ssl_create_cipher_list(s->ctx->method,&s->cipher_list, - &s->cipher_list_by_id,str); + &s->cipher_list_by_id,str, s->cert); /* see comment in SSL_CTX_set_cipher_list */ if (sk == NULL) return 0; @@ -1369,10 +1447,11 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, { int i,j=0; SSL_CIPHER *c; + CERT *ct = s->cert; unsigned char *q; -#ifndef OPENSSL_NO_KRB5 - int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); -#endif /* OPENSSL_NO_KRB5 */ + int no_scsv = s->renegotiate; + /* Set disabled masks for this session */ + ssl_set_client_disabled(s); if (sk == NULL) return(0); q=p; @@ -1380,28 +1459,27 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, for (i=0; ialgorithm_ssl & SSL_TLSV1_2) && - (TLS1_get_client_version(s) < TLS1_2_VERSION)) + /* Skip disabled ciphers */ + if (c->algorithm_ssl & ct->mask_ssl || + c->algorithm_mkey & ct->mask_k || + c->algorithm_auth & ct->mask_a) continue; -#ifndef OPENSSL_NO_KRB5 - if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) && - nokrb5) - continue; -#endif /* OPENSSL_NO_KRB5 */ -#ifndef OPENSSL_NO_PSK - /* with PSK there must be client callback set */ - if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) && - s->psk_client_callback == NULL) - continue; -#endif /* OPENSSL_NO_PSK */ +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + if (c->id == SSL3_CK_SCSV) + { + if (no_scsv) + continue; + else + no_scsv = 1; + } +#endif j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); p+=j; } /* If p == q, no ciphers and caller indicates an error. Otherwise * add SCSV if not renegotiating. */ - if (p != q && !s->renegotiate) + if (p != q && !no_scsv) { static SSL_CIPHER scsv = { @@ -1440,6 +1518,16 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, sk_SSL_CIPHER_zero(sk); } + if (s->cert->ciphers_raw) + OPENSSL_free(s->cert->ciphers_raw); + s->cert->ciphers_raw = BUF_memdup(p, num); + if (s->cert->ciphers_raw == NULL) + { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE); + goto err; + } + s->cert->ciphers_rawlen = (size_t)num; + for (i=0; inext_proto_select_cb_arg = arg; } # endif + +int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type, + custom_cli_ext_first_cb_fn fn1, + custom_cli_ext_second_cb_fn fn2, void* arg) + { + /* Check for duplicates */ + size_t i; + custom_cli_ext_record* record; + + for (i=0; i < ctx->custom_cli_ext_records_count; i++) + if (ext_type == ctx->custom_cli_ext_records[i].ext_type) + return 0; + + ctx->custom_cli_ext_records = OPENSSL_realloc(ctx->custom_cli_ext_records, + (ctx->custom_cli_ext_records_count+1) * sizeof(custom_cli_ext_record)); + if (!ctx->custom_cli_ext_records) { + ctx->custom_cli_ext_records_count = 0; + return 0; + } + ctx->custom_cli_ext_records_count++; + record = &ctx->custom_cli_ext_records[ctx->custom_cli_ext_records_count - 1]; + record->ext_type = ext_type; + record->fn1 = fn1; + record->fn2 = fn2; + record->arg = arg; + return 1; + } + +int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type, + custom_srv_ext_first_cb_fn fn1, + custom_srv_ext_second_cb_fn fn2, void* arg) + { + /* Check for duplicates */ + size_t i; + custom_srv_ext_record* record; + + for (i=0; i < ctx->custom_srv_ext_records_count; i++) + if (ext_type == ctx->custom_srv_ext_records[i].ext_type) + return 0; + + ctx->custom_srv_ext_records = OPENSSL_realloc(ctx->custom_srv_ext_records, + (ctx->custom_srv_ext_records_count+1) * sizeof(custom_srv_ext_record)); + if (!ctx->custom_srv_ext_records) { + ctx->custom_srv_ext_records_count = 0; + return 0; + } + ctx->custom_srv_ext_records_count++; + record = &ctx->custom_srv_ext_records[ctx->custom_srv_ext_records_count - 1]; + record->ext_type = ext_type; + record->fn1 = fn1; + record->fn2 = fn2; + record->arg = arg; + return 1; + } + #endif +int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, + const char *label, size_t llen, const unsigned char *p, size_t plen, + int use_context) + { + if (s->version < TLS1_VERSION) + return -1; + + return s->method->ssl3_enc->export_keying_material(s, out, olen, label, + llen, p, plen, + use_context); + } + static unsigned long ssl_session_hash(const SSL_SESSION *a) { unsigned long l; @@ -1744,7 +1899,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ssl_create_cipher_list(ret->method, &ret->cipher_list,&ret->cipher_list_by_id, - meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST); + meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST, ret->cert); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { @@ -1778,7 +1933,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); ret->extra_certs=NULL; - ret->comp_methods=SSL_COMP_get_compression_methods(); + /* No compression for DTLS */ + if (meth->version != DTLS1_VERSION) + ret->comp_methods=SSL_COMP_get_compression_methods(); ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; @@ -1807,6 +1964,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) #ifndef OPENSSL_NO_SRP SSL_CTX_SRP_CTX_init(ret); #endif + ret->custom_cli_ext_records = NULL; + ret->custom_cli_ext_records_count = 0; + ret->custom_srv_ext_records = NULL; + ret->custom_srv_ext_records_count = 0; #ifndef OPENSSL_NO_BUF_FREELISTS ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT; ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST)); @@ -1945,6 +2106,10 @@ void SSL_CTX_free(SSL_CTX *a) #ifndef OPENSSL_NO_SRP SSL_CTX_SRP_CTX_free(a); #endif +#ifndef OPENSSL_NO_TLSEXT + OPENSSL_free(a->custom_cli_ext_records); + OPENSSL_free(a->custom_srv_ext_records); +#endif #ifndef OPENSSL_NO_ENGINE if (a->client_cert_engine) ENGINE_finish(a->client_cert_engine); @@ -1955,6 +2120,14 @@ void SSL_CTX_free(SSL_CTX *a) ssl_buf_freelist_free(a->wbuf_freelist); if (a->rbuf_freelist) ssl_buf_freelist_free(a->rbuf_freelist); +#endif +#ifndef OPENSSL_NO_TLSEXT +# ifndef OPENSSL_NO_EC + if (a->tlsext_ecpointformatlist) + OPENSSL_free(a->tlsext_ecpointformatlist); + if (a->tlsext_ellipticcurvelist) + OPENSSL_free(a->tlsext_ellipticcurvelist); +# endif /* OPENSSL_NO_EC */ #endif OPENSSL_free(a); @@ -1987,6 +2160,16 @@ void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) X509_VERIFY_PARAM_set_depth(ctx->param, depth); } +void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb)(SSL *ssl, void *arg), void *arg) + { + ssl_cert_set_cert_cb(c->cert, cb, arg); + } + +void SSL_set_cert_cb(SSL *s, int (*cb)(SSL *ssl, void *arg), void *arg) + { + ssl_cert_set_cert_cb(s->cert, cb, arg); + } + void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) { CERT_PKEY *cpk; @@ -2022,24 +2205,24 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #endif #ifndef OPENSSL_NO_ECDH - have_ecdh_tmp=(c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); + have_ecdh_tmp=(c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto); #endif cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); - rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); + rsa_enc= cpk->valid_flags & CERT_PKEY_VALID; rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); - rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); + rsa_sign= cpk->valid_flags & CERT_PKEY_SIGN; cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); - dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); + dsa_sign= cpk->valid_flags & CERT_PKEY_SIGN; cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); - dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); + dh_rsa= cpk->valid_flags & CERT_PKEY_VALID; dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ - dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); + dh_dsa= cpk->valid_flags & CERT_PKEY_VALID; dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_ECC]); - have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL); + have_ecc_cert= cpk->valid_flags & CERT_PKEY_VALID; mask_k=0; mask_a=0; emask_k=0; @@ -2091,6 +2274,9 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) if (dh_dsa) mask_k|=SSL_kDHd; if (dh_dsa_export) emask_k|=SSL_kDHd; + if (emask_k & (SSL_kDHr|SSL_kDHd)) + mask_a |= SSL_aDH; + if (rsa_enc || rsa_sign) { mask_a|=SSL_aRSA; @@ -2118,13 +2304,16 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) */ if (have_ecc_cert) { + cpk = &c->pkeys[SSL_PKEY_ECC]; + x = cpk->x509; /* This call populates extension flags (ex_flags) */ - x = (c->pkeys[SSL_PKEY_ECC]).x509; X509_check_purpose(x, -1, 0); ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; + if (!(cpk->valid_flags & CERT_PKEY_SIGN)) + ecdsa_ok = 0; ecc_pkey = X509_get_pubkey(x); ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; @@ -2269,68 +2458,41 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif -/* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(SSL *s) +static int ssl_get_server_cert_index(const SSL *s) + { + int idx; + idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher); + if (idx == SSL_PKEY_RSA_ENC && !s->cert->pkeys[SSL_PKEY_RSA_ENC].x509) + idx = SSL_PKEY_RSA_SIGN; + if (idx == -1) + SSLerr(SSL_F_SSL_GET_SERVER_CERT_INDEX,ERR_R_INTERNAL_ERROR); + return idx; + } + +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) { - unsigned long alg_k,alg_a; CERT *c; int i; - c=s->cert; + c = s->cert; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); - - alg_k = s->s3->tmp.new_cipher->algorithm_mkey; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; - - if (alg_k & (SSL_kECDHr|SSL_kECDHe)) - { - /* we don't need to look at SSL_kEECDH - * since no certificate is needed for - * anon ECDH and for authenticated - * EECDH, the check for the auth - * algorithm will set i correctly - * NOTE: For ECDH-RSA, we need an ECC - * not an RSA cert but for EECDH-RSA - * we need an RSA cert. Placing the - * checks for SSL_kECDH before RSA - * checks ensures the correct cert is chosen. - */ - i=SSL_PKEY_ECC; - } - else if (alg_a & SSL_aECDSA) - { - i=SSL_PKEY_ECC; - } - else if (alg_k & SSL_kDHr) - i=SSL_PKEY_DH_RSA; - else if (alg_k & SSL_kDHd) - i=SSL_PKEY_DH_DSA; - else if (alg_a & SSL_aDSS) - i=SSL_PKEY_DSA_SIGN; - else if (alg_a & SSL_aRSA) - { - if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) - i=SSL_PKEY_RSA_SIGN; - else - i=SSL_PKEY_RSA_ENC; - } - else if (alg_a & SSL_aKRB5) - { - /* VRS something else here? */ - return(NULL); - } - else if (alg_a & SSL_aGOST94) - i=SSL_PKEY_GOST94; - else if (alg_a & SSL_aGOST01) - i=SSL_PKEY_GOST01; - else /* if (alg_a & SSL_aNULL) */ - { - SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); - return(NULL); - } - if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Broken protocol test: return last used certificate: which may + * mismatch the one expected. + */ + if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) + return c->key; +#endif + + i = ssl_get_server_cert_index(s); + + /* This may or may not be an error. */ + if (i < 0) + return NULL; + + /* May be NULL. */ + return &c->pkeys[i]; } EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) @@ -2342,6 +2504,15 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) alg_a = cipher->algorithm_auth; c=s->cert; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Broken protocol test: use last key: which may + * mismatch the one expected. + */ + if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) + idx = c->key - c->pkeys; + else +#endif + if ((alg_a & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) idx = SSL_PKEY_DSA_SIGN; @@ -2365,6 +2536,47 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) return c->pkeys[idx].privatekey; } +#ifndef OPENSSL_NO_TLSEXT +unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length) + { + CERT *c; + int i; + + c = s->cert; + i = ssl_get_server_cert_index(s); + + if (i == -1) + return NULL; + + *authz_length = 0; + if (c->pkeys[i].authz == NULL) + return(NULL); + *authz_length = c->pkeys[i].authz_length; + + return c->pkeys[i].authz; + } + +int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo, + size_t *serverinfo_length) + { + CERT *c = NULL; + int i = 0; + *serverinfo_length = 0; + + c = s->cert; + i = ssl_get_server_cert_index(s); + + if (i == -1) + return 0; + if (c->pkeys[i].serverinfo == NULL) + return 0; + + *serverinfo = c->pkeys[i].serverinfo; + *serverinfo_length = c->pkeys[i].serverinfo_length; + return 1; + } +#endif + void ssl_update_cache(SSL *s,int mode) { int i; @@ -2591,7 +2803,7 @@ const char *SSL_get_version(const SSL *s) return("TLSv1.2"); else if (s->version == TLS1_1_VERSION) return("TLSv1.1"); - if (s->version == TLS1_VERSION) + else if (s->version == TLS1_VERSION) return("TLSv1"); else if (s->version == SSL3_VERSION) return("SSLv3"); @@ -3224,6 +3436,11 @@ int SSL_cache_hit(SSL *s) return s->hit; } +int SSL_is_server(SSL *s) + { + return s->server; + } + #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) #include "../crypto/bio/bss_file.c" #endif