X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=1b8c0f42bc7955417c82a14af58e5ab4ca311a5c;hp=0b2d5ffd95575e565b8df2a61ac560885d4112f3;hb=8b8e5bed233a2d8106296c8e460be252719e0fdd;hpb=36086186a9b90cdad0d2cd0a598a10f03f8f4bcc diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 0b2d5ffd95..1b8c0f42bc 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -536,6 +536,16 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) return X509_VERIFY_PARAM_set1(ssl->param, vpm); } +X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) + { + return ctx->param; + } + +X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) + { + return ssl->param; + } + void SSL_certs_clear(SSL *s) { ssl_cert_clear_certs(s->cert); @@ -1332,6 +1342,33 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) return(NULL); } +STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) + { + STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers; + int i; + ciphers = SSL_get_ciphers(s); + if (!ciphers) + return NULL; + ssl_set_client_disabled(s); + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) + { + const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); + if (!ssl_cipher_disabled(s, c)) + { + if (!sk) + sk = sk_SSL_CIPHER_new_null(); + if (!sk) + return NULL; + if (!sk_SSL_CIPHER_push(sk, c)) + { + sk_SSL_CIPHER_free(sk); + return NULL; + } + } + } + return sk; + } + /** return a STACK of the ciphers available for the SSL and in order of * algorithm id */ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) @@ -1449,7 +1486,6 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, { int i,j=0; SSL_CIPHER *c; - CERT *ct = s->cert; unsigned char *q; int no_scsv = s->renegotiate; /* Set disabled masks for this session */ @@ -1462,9 +1498,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, { c=sk_SSL_CIPHER_value(sk,i); /* Skip disabled ciphers */ - if (c->algorithm_ssl & ct->mask_ssl || - c->algorithm_mkey & ct->mask_k || - c->algorithm_auth & ct->mask_a) + if (ssl_cipher_disabled(s, c)) continue; #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL if (c->id == SSL3_CK_SCSV) @@ -1596,7 +1630,6 @@ int SSL_get_servername_type(const SSL *s) return -1; } -# ifndef OPENSSL_NO_NEXTPROTONEG /* SSL_select_next_proto implements the standard protocol selection. It is * expected that this function is called from the callback set by * SSL_CTX_set_next_proto_select_cb. @@ -1663,6 +1696,7 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsi return status; } +# ifndef OPENSSL_NO_NEXTPROTONEG /* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's * requested protocol for this connection and returns 0. If the client didn't * request any protocol, then *data is set to NULL. @@ -1855,7 +1889,7 @@ int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx, return 0; ctx->cli_supp_data_records = OPENSSL_realloc(ctx->cli_supp_data_records, - (ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record)); + (ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record)); if (!ctx->cli_supp_data_records) { ctx->cli_supp_data_records_count = 0; @@ -1884,7 +1918,7 @@ int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx, return 0; ctx->srv_supp_data_records = OPENSSL_realloc(ctx->srv_supp_data_records, - (ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record)); + (ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record)); if (!ctx->srv_supp_data_records) { ctx->srv_supp_data_records_count = 0; @@ -2343,8 +2377,8 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) rsa_tmp=rsa_tmp_export=0; #endif #ifndef OPENSSL_NO_DH - dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); - dh_tmp_export=(c->dh_tmp_cb != NULL || + dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto); + dh_tmp_export= !c->dh_tmp_auto && (c->dh_tmp_cb != NULL || (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); #else dh_tmp=dh_tmp_export=0; @@ -2401,20 +2435,20 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) emask_k|=SSL_kRSA; #if 0 - /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ + /* The match needs to be both kDHE and aRSA or aDSA, so don't worry */ if ( (dh_tmp || dh_rsa || dh_dsa) && (rsa_enc || rsa_sign || dsa_sign)) - mask_k|=SSL_kEDH; + mask_k|=SSL_kDHE; if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && (rsa_enc || rsa_sign || dsa_sign)) - emask_k|=SSL_kEDH; + emask_k|=SSL_kDHE; #endif if (dh_tmp_export) - emask_k|=SSL_kEDH; + emask_k|=SSL_kDHE; if (dh_tmp) - mask_k|=SSL_kEDH; + mask_k|=SSL_kDHE; if (dh_rsa) mask_k|=SSL_kDHr; if (dh_rsa_export) emask_k|=SSL_kDHr; @@ -2512,8 +2546,8 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #ifndef OPENSSL_NO_ECDH if (have_ecdh_tmp) { - mask_k|=SSL_kEECDH; - emask_k|=SSL_kEECDH; + mask_k|=SSL_kECDHE; + emask_k|=SSL_kECDHE; } #endif @@ -2625,6 +2659,8 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) int i; c = s->cert; + if (!s->s3 || !s->s3->tmp.new_cipher) + return NULL; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL @@ -2740,6 +2776,11 @@ void ssl_update_cache(SSL *s,int mode) } } +const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) + { + return ctx->method; + } + const SSL_METHOD *SSL_get_ssl_method(SSL *s) { return(s->method); @@ -3103,7 +3144,6 @@ void ssl_clear_cipher_ctx(SSL *s) #endif } -/* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { if (s->cert != NULL) @@ -3112,8 +3152,7 @@ X509 *SSL_get_certificate(const SSL *s) return(NULL); } -/* Fix this function so that it takes an optional type parameter */ -EVP_PKEY *SSL_get_privatekey(SSL *s) +EVP_PKEY *SSL_get_privatekey(const SSL *s) { if (s->cert != NULL) return(s->cert->key->privatekey); @@ -3121,6 +3160,22 @@ EVP_PKEY *SSL_get_privatekey(SSL *s) return(NULL); } +X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) + { + if (ctx->cert != NULL) + return ctx->cert->key->x509; + else + return NULL; + } + +EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) + { + if (ctx->cert != NULL) + return ctx->cert->key->privatekey; + else + return NULL ; + } + const SSL_CIPHER *SSL_get_current_cipher(const SSL *s) { if ((s->session != NULL) && (s->session->cipher != NULL))