X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=1cc3ac9cb6c4e7d17381c31d943cfb23c4c53572;hp=eae31f98225a1ab06586bd483d29dfd3d9e20d35;hb=7806f3dd4b44a0de379b4b8ac3ffc0fc8f249415;hpb=89bbe14c506b9bd2fd00e6bae22a99ef1ee7ad19

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index eae31f9822..1cc3ac9cb6 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1272,7 +1272,7 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
 		c=sk_SSL_CIPHER_value(sk,i);
 		for (cp=c->name; *cp; )
 			{
-			if (len-- == 0)
+			if (len-- <= 0)
 				{
 				*p='\0';
 				return(buf);
@@ -1707,8 +1707,8 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 	emask=0;
 
 #ifdef CIPHER_DEBUG
-	printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
-		rsa_tmp,rsa_tmp_export,dh_tmp,
+	printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+	        rsa_tmp,rsa_tmp_export,dh_tmp,ecdh_tmp,
 		rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
 #endif
 
@@ -1780,14 +1780,20 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 #ifndef OPENSSL_NO_ECDH
 		if (ecdh_ok)
 			{
-			if ((signature_nid == NID_md5WithRSAEncryption) ||
-			    (signature_nid == NID_md4WithRSAEncryption) ||
-			    (signature_nid == NID_md2WithRSAEncryption))
+			const char *sig = OBJ_nid2ln(signature_nid);
+			if (sig == NULL)
+				{
+				ERR_clear_error();
+				sig = "unknown";
+				}
+				
+			if (strstr(sig, "WithRSA"))
 				{
 				mask|=SSL_kECDHr|SSL_aECDH;
 				if (ecc_pkey_size <= 163)
 					emask|=SSL_kECDHr|SSL_aECDH;
 				}
+
 			if (signature_nid == NID_ecdsa_with_SHA1)
 				{
 				mask|=SSL_kECDHe|SSL_aECDH;
@@ -1827,7 +1833,7 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 #define ku_reject(x, usage) \
 	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
 
-int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
+int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
 	{
 	unsigned long alg = cs->algorithms;
 	EVP_PKEY *pkey = NULL;
@@ -1848,37 +1854,46 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
 	X509_check_purpose(x, -1, 0);
 	if ((x->sig_alg) && (x->sig_alg->algorithm))
 		signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
-	if (alg & SSL_kECDH) 
+	if (alg & SSL_kECDHe || alg & SSL_kECDHr) 
 		{
 		/* key usage, if present, must allow key agreement */
 		if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
 			{
+			SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
 			return 0;
 			}
-		if (alg & SSL_aECDSA) 
+		if (alg & SSL_kECDHe)
 			{
 			/* signature alg must be ECDSA */
 			if (signature_nid != NID_ecdsa_with_SHA1)
 				{
+				SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
 				return 0;
 				}
 			}
-		if (alg & SSL_aRSA)
+		if (alg & SSL_kECDHr)
 			{
 			/* signature alg must be RSA */
-			if ((signature_nid != NID_md5WithRSAEncryption) &&
-			    (signature_nid != NID_md4WithRSAEncryption) &&
-			    (signature_nid != NID_md2WithRSAEncryption))
+
+			const char *sig = OBJ_nid2ln(signature_nid);
+			if (sig == NULL)
 				{
+				ERR_clear_error();
+				sig = "unknown";
+				}
+			if (strstr(sig, "WithRSA") == NULL)
+				{
+				SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
 				return 0;
 				}
 			}
 		} 
-	else if (alg & SSL_aECDSA)
+	if (alg & SSL_aECDSA)
 		{
 		/* key usage, if present, must allow signing */
 		if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
 			{
+			SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
 			return 0;
 			}
 		}
@@ -2535,14 +2550,14 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
 #endif
 
 void SSL_set_info_callback(SSL *ssl,
-			   void (*cb)(const SSL *ssl,int type,int val))
+	void (*cb)(const SSL *ssl,int type,int val))
 	{
 	ssl->info_callback=cb;
 	}
 
 /* One compiler (Diab DCC) doesn't like argument names in returned
    function pointer.  */
-void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) 
 	{
 	return ssl->info_callback;
 	}
@@ -2749,6 +2764,36 @@ const char *SSL_get_psk_identity(const SSL *s)
 		return NULL;
 	return(s->session->psk_identity);
 	}
+
+void SSL_set_psk_client_callback(SSL *s, 
+	unsigned int (*cb)(SSL *ssl, const char *hint,
+                char *identity, unsigned int max_identity_len, unsigned char *psk,
+                unsigned int max_psk_len))
+	{
+	s->psk_client_callback = cb;	
+	}
+
+void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
+	unsigned int (*cb)(SSL *ssl, const char *hint,
+                char *identity, unsigned int max_identity_len, unsigned char *psk,
+                unsigned int max_psk_len))
+	{
+	ctx->psk_client_callback = cb;	
+	}
+
+void SSL_set_psk_server_callback(SSL *s, 
+	unsigned int (*cb)(SSL *ssl, const char *identity,
+                unsigned char *psk, unsigned int max_psk_len))
+	{
+	s->psk_server_callback = cb;	
+	}
+
+void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
+	unsigned int (*cb)(SSL *ssl, const char *identity,
+                unsigned char *psk, unsigned int max_psk_len))
+	{
+	ctx->psk_server_callback = cb;	
+	}
 #endif
 
 void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))